8:07 a.m.
Hi,
I would like to open a discussion with OpenLDAP team. I hope this is the right email
address. If not please let me know the correct to which this mail should be directed to.
Issue:
We are currently using OpenLdap 2.4.16 version on Win 64 .We are using RSA and MES
Shareadapter internally to build the openldap libs.
I am getting the below error when I use Sha-256 (2048 key length) certificates:
ldap_sasl_bind_s: Can't contact LDAP server (-1) error:14090086:SSL routines:
SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
I am using the option LDAP_OPT_X_TLS_CACERTDIR and pass the cert directory which has the
certificates. This fails.
But the same passes when I use LDAP_OPT_X_TLS_CACERTFILE and point to the certicate which
is of .pem format.
Can you please let me know I am missing something here or is this a bug?
Any help on this is appreciated.
Thanks
Anitha
2:09 a.m.
Am Tue, 25 Mar 2014 11:04:50 -0400
schrieb "Seshadri, Anitha" <anitha.seshadri(a)emc.com>:
Hi,
I would like to open a discussion with OpenLDAP team. I hope this is
the right email address. If not please let me know the correct to
which this mail should be directed to.
Issue:
We are currently using OpenLdap 2.4.16 version on Win 64 .We are
using RSA and MES Shareadapter internally to build the openldap libs.
I am getting the below error when I use Sha-256 (2048 key length)
certificates:
ldap_sasl_bind_s: Can't contact LDAP server (-1) error:14090086:SSL
routines: SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
I am using the option LDAP_OPT_X_TLS_CACERTDIR and pass the cert
directory which has the certificates. This fails. But the same passes
when I use LDAP_OPT_X_TLS_CACERTFILE and point to the certicate which
is of .pem format.
Can you please let me know I am missing something here or is this a
bug?
Any help on this is appreciated.
Excerpt from openssl documentation:
if CApath is not NULL, it points to a directory containing CA
certificates in PEM format. The files each contain one CA certificate.
The files are looked up by the CA subject name hash value, which must
hence be available.
I presume, your directory does not provide c_hashed subject names.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
9:07 a.m.
Seshadri, Anitha wrote:
I would like to open a discussion with OpenLDAP team.
Please don't spam all these e-mail adresses.
openldap-technical(a)openldap.org is sufficient for asking OpenLDAP usage questions.
We are currently using OpenLdap 2.4.16 version on Win 64 .We are
using RSA and MES Shareadapter internally to build the openldap libs.
I am getting the below error when I use Sha-256 (2048 key length) certificates:
ldap_sasl_bind_s: Can't contact LDAP server (-1) error:14090086:SSL routines:
SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
I am using the option LDAP_OPT_X_TLS_CACERTDIR and pass the cert directory which has the
certificates. This fails.
But the same passes when I use LDAP_OPT_X_TLS_CACERTFILE and point to the certicate which
is of .pem format.
I assume you're using the OpenLDAP client libs on Windows. Furthermore I
assume that you've linked OpenLDAP to the OpenSSL libs.
If yes, then using LDAP_OPT_X_TLS_CACERTDIR might fail since you did not put
the CA certs with hash-based file names into there. Normally on Unixoid
systems like Linux one creates symbolic links with the cert hash as name.
So this seems rather to be a question on how to correctly use OpenSSL on Windows.
Ciao, Michael.
3240
days inactive
3289
days old
openldap-technical@openldap.org
2 comments
3 participants
participants (3)
-
Dieter Klünter -
Michael Ströder -
Seshadri, Anitha