OpenLDAP 2.4.11 client
How do I subvert this bogusness? The cert is legit.
% /usr/rcf/bin/ldapsearch -d 1 -v -ZZ -h ldap.our.com -p 4890 -D uid=jblaine -W mail=jblaine@our.com emailmailbox ... res_errno: 0, res_error: <Start TLS request accepted.Server willing to negotiate SSL.>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_free_connection 0 1 ldap_free_connection: refcnt 1 ldap_parse_extended_result ber_scanf fmt ({eAA) ber: ber_scanf fmt (a) ber: ldap_parse_result ber_scanf fmt ({iAA) ber: ber_scanf fmt (x) ber: ber_scanf fmt (}) ber: ldap_msgfree TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 2, err: 19, subject: /O=our.com/OU=Certificate Authority/CN=SuperDuper Corporation Root CA-1, issuer: /O=our.com/OU=Certificate Authority/CN=SuperDuper Corporation Root CA-1 TLS certificate verification: Error, self signed certificate in certificate chain TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed. ldap_err2string ldap_start_tls: Connect error (-11)
--On Thursday, January 22, 2009 2:20 PM -0500 Jeff Blaine jblaine@kickflop.net wrote:
OpenLDAP 2.4.11 client
How do I subvert this bogusness? The cert is legit.
Provide the CA.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
Hi,
You need to find out where your ldap.conf file is and add an entry to that
TLSREQCERT allow
This directive makes the client allow and complete the ssl handshake even if the server cert does not match.
This error that you get is because of the fact that either the CN of the server and the issuer are same or something like that.That is probably error codes 18 or 19(ssl error codes).
Just try this out to be more clear:
$ openssl s_client -connect x.x.x.x:636 -showcerts
Which will barf out the error codes.
Thanks,
Shawn
Quoting Quanah Gibson-Mount quanah@zimbra.com:
--On Thursday, January 22, 2009 2:20 PM -0500 Jeff Blaine jblaine@kickflop.net wrote:
OpenLDAP 2.4.11 client
How do I subvert this bogusness? The cert is legit.
Provide the CA.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc
Zimbra :: the leader in open source messaging and collaboration
Sankhadip Sengupta wrote:
Hi,
You need to find out where your ldap.conf file is and add an entry to that
Half right.
TLSREQCERT allow
That's a bad idea.
Read the ldap.conf(5) manpage, and add the TLS_CACERT setting.
Quoting Quanah Gibson-Mountquanah@zimbra.com:
--On Thursday, January 22, 2009 2:20 PM -0500 Jeff Blaine jblaine@kickflop.net wrote:
OpenLDAP 2.4.11 client
How do I subvert this bogusness? The cert is legit.
Provide the CA.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc
Zimbra :: the leader in open source messaging and collaboration
I know what you mean.Its probably not a good idea for security to allow connections without verifying the end-host authenticity.
But here's the thing that there is no prompt right during the ssl handshake.But if you can do the ssl handshake before letting the ldap connection initiate and then obtain the certificate of the CA this should solve it.But otherwise if you don't or you don't know which CA the server uses then this is the only way to go about.
Thanks
----- Original Message ----- From: "Howard Chu" hyc@symas.com To: "Sankhadip Sengupta" sdsgupta@cs.utah.edu Cc: openldap-technical@openldap.org Sent: Thursday, January 22, 2009 7:26 PM Subject: Re: Self-signed server cert within our corp = failure
Sankhadip Sengupta wrote:
Hi,
You need to find out where your ldap.conf file is and add an entryto that
Half right.
TLSREQCERT allow
That's a bad idea.
Read the ldap.conf(5) manpage, and add the TLS_CACERT setting.
Quoting Quanah Gibson-Mountquanah@zimbra.com:
--On Thursday, January 22, 2009 2:20 PM -0500 Jeff Blaine jblaine@kickflop.net wrote:
OpenLDAP 2.4.11 client
How do I subvert this bogusness? The cert is legit.
Provide the CA.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc
Zimbra :: the leader in open source messaging and collaboration
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Sankhadip Sengupta wrote:
I know what you mean.Its probably not a good idea for security to allow connections without verifying the end-host authenticity.
But here's the thing that there is no prompt right during the ssl handshake.But if you can do the ssl handshake before letting the ldap connection initiate and then obtain the certificate of the CA this should solve it.But otherwise if you don't or you don't know which CA the server uses then this is the only way to go about.
None of that applies for this poster, since they clearly know that they have their own self-signed cert for their company.
Thanks
----- Original Message ----- From: "Howard Chu"hyc@symas.com To: "Sankhadip Sengupta"sdsgupta@cs.utah.edu Cc:openldap-technical@openldap.org Sent: Thursday, January 22, 2009 7:26 PM Subject: Re: Self-signed server cert within our corp = failure
Sankhadip Sengupta wrote:
Hi,
You need to find out where your ldap.conf file is and add an entryto that
Half right.
TLSREQCERT allow
That's a bad idea.
Read the ldap.conf(5) manpage, and add the TLS_CACERT setting.
Quoting Quanah Gibson-Mountquanah@zimbra.com:
--On Thursday, January 22, 2009 2:20 PM -0500 Jeff Blaine jblaine@kickflop.net wrote:
OpenLDAP 2.4.11 client
How do I subvert this bogusness? The cert is legit.
Provide the CA.
--Quanah
openldap-technical@openldap.org
-
Howard Chu -
Jeff Blaine -
Quanah Gibson-Mount -
Sankhadip Sengupta