New subject: RES: SSL Help

12 Feb 2008


      Hi, I'm having some troubles with openldap w/ TLS. 
I can't seem to do a ldapsearch -x -LLL -ZZ, as it is giving be back 
  "SSL3_GET_SERVER_CERTIFICATE:certificate verify failed"
On the server side log I'm getting:
   TLS trace: SSL3 alert read: fatal:unknown CA
   TLS trace: SSL_accept:failed in SSLv3 read client certificate A
   TLS: can't accept
   TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca 
s3_pkt.c:1053
I've tried and tested my ssl connection using:
   openssl s_client -connect ldap1.mylan:636 -showcerts -state -CAfile 
/usr/local/etc/openldap/cacert.pem
and that works, althought if I use "TLSVerifyClient demand" in slapd.conf, 
the server will reject the connection
saying that the client didn't send the certificate.
I also tried the client authentication ssl test and the works w/ and w/o 
the TLSVerifyClient demand option:
   openssl s_client -connect ldap1.mylan:636 -state \ 
    -CAfile /usr/local/etc/openldap/cacert.pem \ 
    -cert /usr/local/etc/openldap/slapd-cert-ldap1.pem \ 
   -key /usr/local/etc/openldap/slapd-key-ldap1.pem
Does any know what i'm doing wrong?
Here are the tls part of my configs: 
slapd.conf
....
#TLS SSL keys
TLSCipherSuite HIGH:MEDIUM:+TLSv1:+SSLv2:SSLv3
TLSCACertificateFile /usr/local/etc/openldap/cacert.pem
TLSCertificateFile /usr/local/etc/openldap/slapd-cert-ldap1.pem
TLSCertificateKeyFile /usr/local/etc/openldap/slapd-key-ldap1.pem
#TLSVerifyClient demand
....
ldap.conf
BASE    dc=mylan
HOST    ldap1.mylan
#URI    ldaps://127.0.0.1:636 
TLS_CACERT      /usr/local/etc/openldap/cacert.pem
.....
/etc/ldap.conf
# network or connect timeouts (see bind_timelimit).
host 127.0.0.1
# The distinguished name of the search base.
#base dc=caplan,dc=org
base dc=mylan
# Another way to specify your LDAP server is to provide an
# uri with the server name. This allows to use
# Unix Domain Sockets to connect to a local LDAP Server.
host ldap1.mylan
#uri ldap://127.0.0.1/
#uri ldap://127.0.0.1/ ldaps://127.0.0.1/ 
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator
# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=NonAnon,dc=caplan,dc=org
# The credentials to bind with. 
# Optional: default is no credential.
#bindpw SeCrEt
# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
#rootbinddn cn=root,dc=padl,dc=com
# The port.
# Optional: default is 389.
port 389
..
...
..
# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
ssl start_tls
#ssl on
# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is to use libldap's default behavior, which can be configured in
# /etc/openldap/ldap.conf using the TLS_REQCERT setting.  The default for
# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
tls_checkpeer yes
# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
#tls_cacertfile /etc/ssl/ca.cert
#tls_cacertdir /etc/ssl/certs
tls_cacertfile /usr/local/etc/openldap/cacert.pem
# Seed the PRNG if /dev/urandom is not provided
#tls_randfile /var/run/egd-pool
# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1
# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key
Thanks, 
Vinh