Re: self signed certificate
Dieter Klünter wrote:
Fri, Nov 19, 2010 at 02:58:30PM -0200, Márcio Luciano Donada
wrote:
> Hi list,
> When using TLS, I have information that I'm using a self-signed
> certificate, as shown below:
>
> # ldapsearch -x -d5 -b 'ou=Usuarios,dc=xx,dc=com,dc=br' -H
> ldaps://121.1.1.97/ '(objectclass=*)'
> ldap_url_parse_ext(ldaps://121.1.1.97/)
> ldap_create
> ldap_url_parse_ext(ldaps://121.1.1.97:636/??base)
> ldap_sasl_bind
> ldap_send_initial_request
> ldap_new_connection 1 1 0
> ldap_int_open_connection
> ldap_connect_to_host: TCP 121.1.1.97:636
> ldap_new_socket: 3
> ldap_prepare_socket: 3
> ldap_connect_to_host: Trying 121.1.1.97:636
> ldap_pvt_connect: fd: 3 tm: -1 async: 0
> TLS trace: SSL_connect:before/connect initialization
> TLS trace: SSL_connect:SSLv2/v3 write client hello A
> TLS trace: SSL_connect:SSLv3 read server hello A
> TLS certificate verification: depth: 0, err: 18, subject:
> /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=ldap.xx.com.br, issuer:
> -State/O=Internet Widgits Pty Ltd/CN=ldap.xx.com.br
> TLS certificate verification: Error, self signed certificate
> TLS trace: SSL3 alert write:fatal:unknown CA
> TLS trace: SSL_connect:error in SSLv3 read server certificate B
> TLS trace: SSL_connect:error in SSLv3 read server certificate B
> TLS: can't connect: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self
> signed certificate).
> ldap_err2string
> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
OpenLDAP is quite picky about correct certificate chains.
No, the software will accept whatever you tell it to use, if you configure it
appropriately.
You really should create a full certificate chain, that is, a ca, a
server certificate and a server key.
But yes, the Project always recommends that you do the right thing.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/