Hi Jeff
Thanks for your reply.
In addition, you should add -servername, too. The option engages SNI.
openssl s_client -connect ldpdd042.hop.lab.emc.com:636 \ -servername ldpdd042.hop.lab.emc.com
Otherwise, you might get the default server at the host ldpdd042. I'm not sure how that would work in this instance. (I know how it works with web servers).
I don't see any difference in the openssl output when I use the 'servername' option:
ldpdd042:~ # openssl s_client -connect ldpdd042.hop.lab.emc.com:636 CONNECTED(00000003) write:errno=0 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 334 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- ldpdd042:~ # openssl s_client -connect ldpdd042.hop.lab.emc.com:636 -servername ldpdd042.hop.lab.emc.com CONNECTED(00000003) write:errno=0 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 334 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- ldpdd042:~ #
TLSCACertificateFile should probably be blank. It is probably the CA certs the server would use to authenticate a client when mutual authentication is used. I.e.e, client certificates.
Okay. I commented out that parameter in /usr/local/etc/openldap/slapd.conf and restarted the daemon, with no apparent change in behavior.
TLSCertificateFile should probably be the entire chain used in path building, and not just the server's certificate. Since this is using a self-signed end-entity certificate, it would include just the end-entity certificate. No CA certificates needed.
Here is the certificate that I created for use with OpenLDAP; please let me know of any deficiencies with it.
ldpdd042:~ # openssl x509 -in /etc/ssl/private/server.cert -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 29:c5:df:63:73:c6:ae:91:95:0c:4d:7a:7e:8c:b2:25:50:43:93:15 Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, ST = MA, L = Hopkinton, O = Dell Technologies, OU = DPC Engineering, CN = ldpdd042.hop.lab.emc.com Validity Not Before: May 10 16:10:25 2023 GMT Not After : Jun 9 16:10:25 2023 GMT Subject: C = US, ST = MA, L = Hopkinton, O = Dell Technologies, OU = DPC Engineering, CN = ldpdd042.hop.lab.emc.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:cc:fd:1d:97:da:63:20:a4:04:e0:30:de:b2:1f: 85:df:3f:ff:c9:a1:e9:02:53:cd:2e:cf:14:f3:45: 20:49:9c:29:e3:1c:6b:7e:9a:a8:45:42:bb:53:e9: b2:20:c4:c7:80:05:cb:ae:ad:1f:de:2a:0e:8a:0a: ab:ff:d6:3b:a0:22:56:ef:4a:c4:f5:4f:54:82:90: 44:38:c6:2c:ac:9d:95:b8:07:f2:7f:76:74:01:47: 56:c5:7e:45:f9:f8:94:25:24:20:b6:56:36:a4:27: 20:99:51:64:12:1b:0a:ba:c3:90:bc:59:58:ad:42: 04:72:76:80:b4:8e:aa:29:1d:59:6b:04:c5:64:15: d9:3a:7d:dd:b5:b7:f4:ed:a7:da:18:f1:82:65:12: 7f:36:32:78:d1:bf:cf:06:12:41:8f:bc:d1:f5:bf: 7d:5d:d8:7b:dd:27:90:34:80:fa:44:44:a9:21:bc: d1:d4:03:d8:ac:03:d4:5b:89:25:f9:f7:da:b5:7e: b1:9e:c9:46:1b:91:e0:78:43:0f:3b:05:64:32:b7: a2:d5:c1:58:4b:ab:1b:a0:a6:77:40:32:30:ef:dc: a2:04:f6:4a:35:57:9b:be:0a:46:32:a5:bc:e1:04: 99:c7:4c:2c:d3:61:f8:f2:3f:7d:5d:4c:76:1a:bb: ba:af Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 4B:36:FE:7A:3C:A2:24:A1:35:18:A0:FA:BE:75:DA:03:6C:CC:DF:F8 X509v3 Authority Key Identifier: keyid:4B:36:FE:7A:3C:A2:24:A1:35:18:A0:FA:BE:75:DA:03:6C:CC:DF:F8
X509v3 Basic Constraints: critical CA:TRUE Signature Algorithm: sha256WithRSAEncryption 1c:ab:88:54:79:8e:86:54:49:35:b7:81:3b:35:84:7e:d3:4f: 4d:12:a1:86:73:38:e1:7f:b0:d5:6f:99:f3:c2:bb:f4:8a:60: c5:75:67:10:b4:03:80:6e:bb:14:6f:3f:e6:d3:9b:a1:d4:d3: 36:82:45:14:8c:1e:e7:f1:88:91:6d:36:ea:6d:0a:07:ef:ba: 16:43:f9:0e:81:e7:77:bd:20:23:ad:45:54:6e:d4:09:e5:3e: 36:79:63:35:5f:63:57:e6:93:4a:19:5a:46:82:fd:43:aa:2d: cf:1f:9a:fe:3d:5c:d8:60:cb:f6:76:fd:fd:22:92:21:4f:0b: 76:a2:44:36:a9:26:f5:01:a0:c9:83:3f:26:e1:8b:4f:65:93: d6:c7:47:e9:af:c4:d6:37:21:e3:07:6b:20:ae:38:81:30:26: 41:68:fa:99:3a:c3:9c:df:43:4f:37:76:94:cb:88:ae:46:a8: b4:1a:12:bf:01:77:ad:0d:be:20:6b:26:8e:f5:94:91:7f:28: 5c:3c:72:7a:b9:26:b9:69:d7:10:38:60:b7:ec:74:f5:b5:ed: 00:86:9a:5a:28:95:c2:51:d5:af:ef:74:a3:1f:d2:0d:4b:53: bc:e5:b7:3d:63:40:ee:28:0c:ff:7d:bc:88:e4:ab:49:5a:b3: 82:a7:ea:0f ldpdd042:~ #
Because you are using openssl s_client, you need to do something like:
openssl s_client -connect ldpdd042.hop.lab.emc.com:636 \ -servername ldpdd042.hop.lab.emc.com \ -cafile server.cert
When I execute this openssl command on the OpenLDAP server (which, of course, has access to the server certificate), again, no information is read by the 'SSL handshake':
ldpdd042:~ # openssl s_client -connect ldpdd042.hop.lab.emc.com:636 -servername ldpdd042.hop.lab.emc.com -CAfile /etc/ssl/private/server.cert CONNECTED(00000003) write:errno=0 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 334 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- ldpdd042:~ #
Here's an example of creating a well formed self-signed end-entity (server) certificate:
Here is the command that I used to create the self-signed server certificate; please let me know if it isn't correct for this application: openssl req -nodes -new -x509 -keyout server.key -out server.cert
Thanks for the help! tl
Internal Use - Confidential