[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ldap
Subject:    [ldap] Re: ldaps: SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
From:       Sam Tran <stlist () gmail ! com>
Date:       2005-10-04 2:21:23
Message-ID: cee681b00510031921o38904581yc80716d7d925b3b2 () mail ! gmail ! com
[Download RAW message or body]

On 10/3/05, Ran Li <Ran.Li@sprint-canada.com> wrote:
> Basically I followed the document of OpenLDAP_TLS_howto(by D. Kent
> Soper), use "CA issued certificate"- (section 4.2), here is what I got
> (on ldap server)
> 
> # openssl s_client -connect localhost:636 -showcerts
> ...
> Verify return code: 19 (self signed certificate in certificate chain)
> 
> # openssl s_client -connect myserver.com:636 -showcerts -state -CAfile
> /usr/local/openssl/misc/var/ca/cacert.pem
> ...
> Verify return code: 0 (ok)
> 
> slapd.conf looks like below
> ...
> TLSCipherSuite HIGH:MEDIUM:+TLSv1:+SSLv2:+SSLv3
> TLSCACertificateFile /usr/local/openssl/misc/var/ca/cacert.pem
> TLSCertificateFile /usr/local/openssl/misc/var/ca/servercert.pem
> TLSCertificateKeyFile /usr/local/openssl/misc/var/ca/serverkey.pem
> 
> started slapd with -h "ldap:/// ldaps:///"
> 
> nmap on server says
> 389/tcp open ldap
> 636/tcp open ldapssl
> 
> # ldapsearch -x -b "o=mydomain.com" -D "cn=replica,o=mydomain.com"
> '(objectclass=*)' -H ldaps://myserver.com -W
> Enter LDAP Password:
> ldap_bind: Can't contact LDAP server (-1)
> additional info: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> 
> # ldapsearch -d1 -x -H ldaps://localhost:636/
> ldap_create
> ldap_url_parse_ext(ldaps://localhost:636/)
> ldap_bind
> ldap_simple_bind
> ldap_sasl_bind
> ldap_send_initial_request
> ldap_new_connection 1 1 0
> ldap_int_open_connection
> ldap_connect_to_host: TCP localhost:636
> ldap_new_socket: 3
> ldap_prepare_socket: 3
> ldap_connect_to_host: Trying 127.0.0.1:636
> ldap_connect_timeout: fd: 3 tm: -1 async: 0
> ldap_ndelay_on: 3
> ldap_is_sock_ready: 3
> ldap_ndelay_off: 3
> TLS trace: SSL_connect:before/connect initialization
> TLS trace: SSL_connect:SSLv2/v3 write client hello A
> TLS trace: SSL_connect:SSLv3 read server hello A
> TLS certificate verification: depth: 1, err: 19, subject:
> snip ....
> TLS certificate verification: Error, self signed certificate in
> certificate chain
> TLS trace: SSL3 alert write:fatal:unknown CA

Did you specify the CA certificate in your ldap.conf file?

Sam

---
You are currently subscribed to ldap@umich.edu as: [ldap@progressive-comp.com]
To unsubscribe send email to ldap-request@umich.edu with the word UNSUBSCRIBE as the \
SUBJECT of the message.


[prev in list] [next in list] [prev in thread] [next in thread]