Hello Rich,
On 04/12/2011 10:24 PM, Rich Megginson wrote:
On 04/12/2011 02:18 PM, Judith Flo Gaya wrote:
ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 172.19.5.13:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 TLS certificate verification: subject: -unknown-, issuer: -unknown-, cipher: -unknown-, security level: off, secret key bits: 0, total key bits: 0, cache hits: 0, cache misses: 0, cache not reusable: 0 TLS certificate verification: bad TLS certificate verification: Error, -8182: Unknown code ___f 10 TLS: error: connect - force handshake failure -1 - error -8182:Unknown code ___f 10 TLS: can't connect: . ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
It seems that it doesn't like the certificate.
-8182 is SEC_ERROR_BAD_SIGNATURE. During the TLS/SSL handshake, the client tries to see if the server's cert is correctly signed by the CA cert (the local ca-cert.pem).
Now I have the same error but using the moznss certs, the certificate was copied from the server and the cert command confirms the status of the certificate (so it's not bad...
# ldapsearch -x -d1 ldap_create ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP server:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying ip:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 TLS: using moznss security dir /etc/openldap/cacerts. TLS certificate verification: subject: -unknown-, issuer: -unknown-, cipher: -unknown-, security level: off, secret key bits: 0, total key bits: 0, cache hits: 0, cache misses: 0, cache not reusable: 0 TLS certificate verification: bad TLS certificate verification: Error, -8182: Unknown code ___f 10 TLS: error: connect - force handshake failure -1 - error -8182:Unknown code ___f 10 TLS: can't connect: . ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) [root@curri2 ~]# certutil -d /etc/openldap/cacerts/ -L "name cert"
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
name cert CTu,u,u
# certutil -V -u V -d /etc/openldap/cacerts/ -n "name cert" certutil: certificate is valid
The server just complains about the tls communication: (TLS negotiation failure)
Do you think it is necessary to recompile the server so that the tls is done by moznss in both sides...
Thanks for your help, j