Hi Rich,
Thanks for your answer.
Le 11/07/2011 17:30, Rich Megginson a écrit :
Can you do openssl x509 -in /path/to/cert.pem -text and paste the output here? /path/to/cert.pem is the file containing the cert which has the Subject DN: CN=myldap.mydom.fr,OU=myou,O=myorg,L=myloc,ST=myst,C=FR
Is this the server cert of the remote server (i.e. not the syncrepl client).
This is the certificate defined as my main LDAP server's certificate (used to enable ldaps connection). It is not the syncrepl provider's certificate, nor a certificate intended to be used to authenticate my main LDAP server to the provider.
Be sure to obscure any sensitive data in the -text output before sending.
Here's the certificate with identication fields modified, though a public certificate shouldn't contain such critical data (I wouldn't have sent my private key though ;-) ).
What is interresting here, I think is the "TLS Web Server Authentication, Code Signing" value for the "X509v3 Extended Key Usage" extension. This means that the certificate is not to be used as a client authentication certificate, so syncrepl is right in stating that the SSL connection can't be established. Though the question is, why on earth is my server trying to use my Server's certificate as a client certificate while connecting to the syncrepl ldaps provider! It should instead only check the provider's Server certificate and then binds using the provided credential to authenticate to the provider.
------------------------------------------------------------------- Certificate: Data: Version: 3 (0x2) Serial Number: 221 (0xdd) Signature Algorithm: sha1WithRSAEncryption Issuer: C=FR, ST=myst, L=myloc, O=myorg, OU=myou, CN=myCA/emailAddress=thibault.lemeur@supelec.fr Validity Not Before: Oct 2 16:42:15 2007 GMT Not After : Dec 14 16:42:15 2012 GMT Subject: C=FR, ST=myst, L=myloc, O=myorg, OU=myou, CN=myldap.mydom.fr Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:aa:2e:a1:15:f3:a1:50:5a:f3:8c:d8:18:07:47: ef:37:83:b8:d6:5f:e3:ad:10:1e:8b:ce:8a:00:e3: 27:ac:75:7d:47:1a:74:31:b9:f1:9e:54:2c:44:82: 86:94:d6:36:ab:2e:88:1d:6b:b1:9c:5c:66:ad:32: 2c:46:6b:1b:fe:a2:cc:d6:30:13:8e:e8:de:c2:60: 90:73:5c:8c:e1:93:49:e8:94:ab:4b:0a:5f:8f:ff: a6:1a:46:19:20:ab:cc:c6:69:7d:81:8c:16:90:b4: 02:bd:f8:c5:64:3f:03:d5:b6:94:a5:84:f5:58:01: ed:79:40:a7:8b:23:99:41:23:54:43:93:fa:71:9b: aa:5d:93:74:6c:02:e8:4c:d7:c1:99:85:19:01:5b: d3:76:ee:f8:7e:eb:82:b1:51:4a:78:7b:7d:85:a3: e2:8c:55:b6:93:b3:a0:f6:52:8f:8c:25:98:56:c1: b6:86:fc:a2:07:74:00:27:56:c5:05:7f:8e:c3:f2: 4a:26:1a:9f:65:42:aa:8e:bb:62:36:f5:f7:cf:e5: 1e:97:19:27:37:33:33:3c:9c:a3:d1:0f:a7:fd:55: c7:66:20:08:02:7c:4b:39:39:ce:9b:78:c6:33:07: 5b:41:08:e4:71:ee:a9:f4:ae:f7:03:5b:42:c0:64: 6e:81 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Server Netscape Comment: TinyCA Generated Certificate X509v3 Subject Key Identifier: 7C:0D:57:20:C4:AD:35:D3:ED:E3:DE:FE:83:5E:DF:A4:F0:BB:4F:84 X509v3 Authority Key Identifier:
keyid:7D:86:22:B4:83:06:D7:49:7F:9A:BF:D6:83:41:BB:69:E5:65:6C:6E
DirName:/C=FR/ST=myst/L=myloc/O=myorg/OU=myou/CN=myCA/emailAddress=thibault.lemeur@supelec.fr serial:00
X509v3 Issuer Alternative Name: <EMPTY>
Netscape SSL Server Name: myldap.mydom.fr X509v3 Subject Alternative Name: DNS:ldap, DNS:ldapalias1, DNS:ldapalias2, DNS:ldapalias1.mydom.fr, DNS:ldapalias2.mydom.fr, DNS:ldap.mydom.fr, DNS:myldap, DNS:myldap.mydom.fr X509v3 Extended Key Usage: critical TLS Web Server Authentication, Code Signing Signature Algorithm: sha1WithRSAEncryption a4:c4:58:03:f5:4f:d5:d5:4b:65:a4:6e:ca:16:21:fd:8c:49: 06:0c:ce:74:20:17:40:c7:0f:f1:3a:15:fb:9b:37:07:4b:e2: 2a:aa:1a:cc:0b:0c:f0:aa:3c:32:17:27:1f:1d:50:e9:ff:16: 55:04:90:a9:61:37:b0:f0:95:a0:c8:cf:7d:7b:0b:ed:09:a8: 92:3e:86:a5:d1:13:7b:ae:6d:d4:99:96:4f:bf:b0:d4:84:58: 94:50:91:60:75:7e:24:30:15:d6:64:70:80:09:76:df:1f:27: 4b:3d:1c:53:b7:4e:ba:5e:d2:20:11:53:ab:32:ec:27:0c:32: 53:90 -------------------------------------------------------------------
Regards, Thibault