On 04/13/2011 05:02 AM, Judith Flo Gaya wrote:
Hello Rich,
On 04/12/2011 10:24 PM, Rich Megginson wrote:
On 04/12/2011 02:18 PM, Judith Flo Gaya wrote:
ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 172.19.5.13:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 TLS certificate verification: subject: -unknown-, issuer: -unknown-, cipher: -unknown-, security level: off, secret key bits: 0, total key bits: 0, cache hits: 0, cache misses: 0, cache not reusable: 0 TLS certificate verification: bad TLS certificate verification: Error, -8182: Unknown code ___f 10 TLS: error: connect - force handshake failure -1 - error -8182:Unknown code ___f 10 TLS: can't connect: . ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
It seems that it doesn't like the certificate.
-8182 is SEC_ERROR_BAD_SIGNATURE. During the TLS/SSL handshake, the client tries to see if the server's cert is correctly signed by the CA cert (the local ca-cert.pem).
Now I have the same error but using the moznss certs, the certificate was copied from the server and the cert command confirms the status of the certificate (so it's not bad...
# ldapsearch -x -d1 ldap_create ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP server:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying ip:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 TLS: using moznss security dir /etc/openldap/cacerts. TLS certificate verification: subject: -unknown-, issuer: -unknown-, cipher: -unknown-, security level: off, secret key bits: 0, total key bits: 0, cache hits: 0, cache misses: 0, cache not reusable: 0 TLS certificate verification: bad TLS certificate verification: Error, -8182: Unknown code ___f 10 TLS: error: connect - force handshake failure -1 - error -8182:Unknown code ___f 10 TLS: can't connect: . ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) [root@curri2 ~]# certutil -d /etc/openldap/cacerts/ -L "name cert"
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
name cert CTu,u,u
# certutil -V -u V -d /etc/openldap/cacerts/ -n "name cert" certutil: certificate is valid
please post the output of certutil -L -d /etc/openldap/cacerts -n "name cert"
Also post the output of openssl x509 -in /path/to/the/server-cert.pem -text
The server just complains about the tls communication: (TLS negotiation failure)
Do you think it is necessary to recompile the server so that the tls is done by moznss in both sides...
No. That is not the problem.
Thanks for your help, j