John Gee john@kleinfeld.ch writes:
Hello,
i have a problem with connecting Solaris10 native LDAP Client to a openLDAP Server (slapd 2.4.11) with TLS.
[...]
TLS trace: SSL3 alert read:fatal:bad certificate TLS trace: SSL_accept:failed in SSLv3 read client certificate A TLS: can't accept. TLS: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate s3_pkt.c:1053 connection_read(11): TLS accept failure error=-1 id=207, closing connection_closing: readying conn=207 sd=11 for close connection_close: conn=207 sd=11
slapd refuses the client certificate
-( solaris 10 - client )----
# import the ca-cert certutil -N -d /var/ldap certutil -A -n "ca-cert" -i /tmp/ldap/ca-cert.pem -a -t CT -d /var/ldap/ # import ldap-server certs certutil -A -d /var/ldap/ -n "ldap01.kleinfeld.ch" -t C,, -i ldap01.kleinfeld.ch.pem certutil -A -d /var/ldap/ -n "ldap02.kleinfeld.ch" -t C,, -i ldap02.kleinfeld.ch.pem # list cert-db certutil -L -d /var/ldap ca-cert CT,, ldap02.kleinfeld.ch C,, ldap01.kleinfeld.ch C,,
The server presents the server certificate (ldap01.kleinfeld.ch), the ldap client presents the CA but the server expects a client certificate. Change slapd.conf not to verfiy a client certificate.
-Dieter