Hi,
since a couple of days I try to setup a provider and a consumer over ssl following the documentation in a book [1] an dusing two servers. (Red Hat 5.x, openssl-0.9.8e-12, openldap-2.3.43-3 )
Doing so I was confronted with a lot off different warnings/messages but finaly I got the replication crypted.
The final step in the tutorial is to use the saslmech=external but the messages I do get are different from the messages I should get.
I noticed and googeled some provider debug info and wanted to ask for some prove or clarification or work around:
From the provider log:
TLS certificate verification: Error, unsupported certificate purpose ... TLS trace: SSL3 alert write:warning:bad certificate connection_read(13): unable to get TLS client DN, error=49 id=1
From a posting from 2006 and the answere from Howard Chu [2] I think I
do have the same problem: My consumer server certificate "should be" from the providers view a client certificate.
From the certificate:
X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Server
Am I wrong, right, lost, ... Is there a workaround or any step while creating the certificates?
Thanks once more and best regards,
Götz
[1] http://www.galileocomputing.de/katalog/buecher/titel/gp/titelID-1801 [2] http://www.openldap.org/lists/openldap-software/200604/msg00202.html
Götz Reinicke - IT-Koordinator goetz.reinicke@filmakademie.de writes:
Hi,
[...]
I noticed and googeled some provider debug info and wanted to ask for some prove or clarification or work around:
From the provider log:
TLS certificate verification: Error, unsupported certificate purpose ... TLS trace: SSL3 alert write:warning:bad certificate connection_read(13): unable to get TLS client DN, error=49 id=1
What is the commonName attribute value of the client certificate?
-Dieter
Dieter Kluenter schrieb:
Götz Reinicke - IT-Koordinator goetz.reinicke@filmakademie.de writes:
Hi,
[...]
I noticed and googeled some provider debug info and wanted to ask for some prove or clarification or work around:
From the provider log:
TLS certificate verification: Error, unsupported certificate purpose ... TLS trace: SSL3 alert write:warning:bad certificate connection_read(13): unable to get TLS client DN, error=49 id=1
What is the commonName attribute value of the client certificate?
CN=ldap2.filmakademie.de
DNS/resolving is working fine.
/Götz
Götz Reinicke - IT-Koordinator goetz.reinicke@filmakademie.de writes:
Dieter Kluenter schrieb:
Götz Reinicke - IT-Koordinator goetz.reinicke@filmakademie.de writes:
Hi,
[...]
I noticed and googeled some provider debug info and wanted to ask for some prove or clarification or work around:
From the provider log:
TLS certificate verification: Error, unsupported certificate purpose ... TLS trace: SSL3 alert write:warning:bad certificate connection_read(13): unable to get TLS client DN, error=49 id=1
What is the commonName attribute value of the client certificate?
CN=ldap2.filmakademie.de
That's what I thought, but this is not a valid distinguished name, because it is not the client host name that has to be authenticated but an entries DN.
-Dieter
Hi,
X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Server
You can use this Certificate only for Server, not for Client-authentication.
Netscape Cert Type: should be SSL Client, SSL Server
if You would use the Certificate as Client/Server (I would prefer this)
or SSL Client
if You would use the Certificate only as Client
Look for nsCertType in Your Openssl configuration file
manpage : config and x509
-- Klaus Lemkau
Am 12.04.2010 11:58, schrieb Götz Reinicke - IT-Koordinator:
Hi,
since a couple of days I try to setup a provider and a consumer over ssl following the documentation in a book [1] an dusing two servers. (Red Hat 5.x, openssl-0.9.8e-12, openldap-2.3.43-3 )
Doing so I was confronted with a lot off different warnings/messages but finaly I got the replication crypted.
The final step in the tutorial is to use the saslmech=external but the messages I do get are different from the messages I should get.
I noticed and googeled some provider debug info and wanted to ask for some prove or clarification or work around:
From the provider log:
TLS certificate verification: Error, unsupported certificate purpose ... TLS trace: SSL3 alert write:warning:bad certificate connection_read(13): unable to get TLS client DN, error=49 id=1
From a posting from 2006 and the answere from Howard Chu [2] I think I
do have the same problem: My consumer server certificate "should be" from the providers view a client certificate.
From the certificate:
X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Server
Am I wrong, right, lost, ... Is there a workaround or any step while creating the certificates?
Thanks once more and best regards,
Götz
[1] http://www.galileocomputing.de/katalog/buecher/titel/gp/titelID-1801 [2] http://www.openldap.org/lists/openldap-software/200604/msg00202.html
Hi Klaus,
thanks a lot. Just two minute ago I finished my two-hour-google-look up ending in the same direction :-)
A posting from Howard Chu pointed into the right direction:
http://www.openldap.org/lists/openldap-software/200704/msg00129.html
Than of to ->
http://www.openssl.org/docs/apps/x509v3_config.html
The next minutes I'll dedicated to you doing some kowtow.
And some more if everything works ;-)
Cheers,
Götz
Klaus Lemkau schrieb:
Hi,
X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Server
You can use this Certificate only for Server, not for Client-authentication.
Netscape Cert Type: should be SSL Client, SSL Server
if You would use the Certificate as Client/Server (I would prefer this)
or SSL Client
if You would use the Certificate only as Client
Look for nsCertType in Your Openssl configuration file
manpage : config and x509
-- Klaus Lemkau
Am 12.04.2010 11:58, schrieb Götz Reinicke - IT-Koordinator:
Hi,
since a couple of days I try to setup a provider and a consumer over ssl following the documentation in a book [1] an dusing two servers. (Red Hat 5.x, openssl-0.9.8e-12, openldap-2.3.43-3 )
Doing so I was confronted with a lot off different warnings/messages but finaly I got the replication crypted.
The final step in the tutorial is to use the saslmech=external but the messages I do get are different from the messages I should get.
I noticed and googeled some provider debug info and wanted to ask for some prove or clarification or work around:
From the provider log:
TLS certificate verification: Error, unsupported certificate purpose ... TLS trace: SSL3 alert write:warning:bad certificate connection_read(13): unable to get TLS client DN, error=49 id=1
From a posting from 2006 and the answere from Howard Chu [2] I think I
do have the same problem: My consumer server certificate "should be" from the providers view a client certificate.
From the certificate:
X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Server
Am I wrong, right, lost, ... Is there a workaround or any step while creating the certificates?
Thanks once more and best regards,
Götz[1] http://www.galileocomputing.de/katalog/buecher/titel/gp/titelID-1801 [2] http://www.openldap.org/lists/openldap-software/200604/msg00202.html
openldap-technical@openldap.org
-
Dieter Kluenter -
Götz Reinicke - IT-Koordinator -
Klaus Lemkau