John Gee <john(a)kleinfeld.ch> writes:
Hello,
i have a problem with connecting Solaris10 native LDAP Client to a
openLDAP Server (slapd 2.4.11) with TLS.
[...]
TLS trace: SSL3 alert read:fatal:bad certificate
TLS trace: SSL_accept:failed in SSLv3 read client certificate A
TLS: can't accept.
TLS: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
s3_pkt.c:1053
connection_read(11): TLS accept failure error=-1 id=207, closing
connection_closing: readying conn=207 sd=11 for close
connection_close: conn=207 sd=11
slapd refuses the client certificate
-( solaris 10 - client )----
# import the ca-cert
certutil -N -d /var/ldap
certutil -A -n "ca-cert" -i /tmp/ldap/ca-cert.pem -a -t CT -d /var/ldap/
# import ldap-server certs
certutil -A -d /var/ldap/ -n "ldap01.kleinfeld.ch" -t C,, -i
ldap01.kleinfeld.ch.pem
certutil -A -d /var/ldap/ -n "ldap02.kleinfeld.ch" -t C,, -i
ldap02.kleinfeld.ch.pem
# list cert-db
certutil -L -d /var/ldap
ca-cert CT,,
ldap02.kleinfeld.ch C,,
ldap01.kleinfeld.ch C,,
The server presents the server certificate (ldap01.kleinfeld.ch),
the ldap client presents the CA but the server expects a client
certificate. Change slapd.conf not to verfiy a client certificate.
-Dieter
--
Dieter Klünter | Systemberatung
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6
53°08'09,95"N
10°08'02,42"E