[prev in list] [next in list] [prev in thread] [next in thread]
List: nssldap
Subject: RE: [nssldap] SSL on AIX 4.3.3
From: "Chapman, Kyle" <Kyle_Chapman () G1 ! com>
Date: 2004-10-21 18:30:20
Message-ID: CEC4708048E79E4CB20CDB491567EA3C016B0627 () mdg1ex03 ! g1 ! com
[Download RAW message or body]
on aix 4.3.3, i dont think so. if ibm released a random device (433) i dont recall \
hearing about it..
-----Original Message-----
From: owner-nssldap@padl.com [mailto:owner-nssldap@padl.com]On Behalf Of Lam, Eric
Sent: Thursday, October 21, 2004 12:12 PM
To: Lam, Eric; Wang, Yu; nssldap@padl.com
Subject: RE: [nssldap] SSL on AIX 4.3.3
I found the issue. It requires prndg to support SSL. Is there a way to avoid running \
prngd ?
-----Original Message-----
From: Lam, Eric
Sent: Thursday, October 21, 2004 11:37 AM
To: 'Wang, Yu'; nssldap@padl.com
Subject: RE: [nssldap] SSL on AIX 4.3.3
Now I see this error when I run ldapsearch on aix 4.3.3. Any idea ? The AIX 5.1 and \
5.2 has no issue on ldapsearch with -Z option.
ldap_start_tls: Connect error (-11)
additional info: error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG \
not seeded
Thanks
-----Original Message-----
From: Wang, Yu [mailto:ywang@unf.edu]
Sent: Thursday, October 21, 2004 9:17 AM
To: Lam, Eric; nssldap@padl.com
Subject: RE: [nssldap] SSL on AIX 4.3.3
I would definitely go get ldapsearch work under ssl first. Turn on debug would help \
you to see where the connection failed. To me it looks like the CA certificate \
verification failed. Also pay attention to the path to the CA cert. Your openldap and \
nssldap may be configured to look into different places for the cert.
You can also use openssl command to verify your cert:
openssl s_client -CAfile /path/to/cacert.pem -connect yourldapserver:636
--Yu Wang
Information Technology Services
University of North Florida
(904) 620-2820
-----Original Message-----
From: owner-nssldap@padl.com [mailto:owner-nssldap@padl.com]On Behalf Of Chapman, \
Kyle
Sent: Wednesday, October 20, 2004 5:16 PM
To: nssldap@padl.com
Subject: RE: [nssldap] SSL on AIX 4.3.3
it does work. your openldap exes (ldapsearch, ldapmodify, etc..) should be working \
with ssl/tls. this way, you can verify that ssl/tls is working at all before trying \
to make nss_ldap use ssl/tls.
-----Original Message-----
From: owner-nssldap@padl.com [mailto:owner-nssldap@padl.com]On Behalf Of Lam, Eric
Sent: Wednesday, October 20, 2004 4:33 PM
To: nssldap@padl.com
Subject: [nssldap] SSL on AIX 4.3.3
Now I have both NSS_LDAP 2.20 and 2.17 working on AIX 4.3.3. However, SSL connection \
does not work.
The iPlanet LDAP server see SSL connection request from my system, but close it right \
away. My system did not send any search or bind request.
In non-SSL, I have no problem to logon.
Does anyone know if AIX 4.3.3 support SSL at all using NSS_LADP ?
I am compiling with OpenSSL 0.9.7d and OpenLDAP 2.2.7.
Thanks
Eric
NOTICE: This E-mail may contain confidential information. If you are not
the addressee or the intended recipient please do not read this E-mail
and please immediately delete this e-mail message and any attachments
from your workstation or network mail system. If you are the addressee
or the intended recipient and you save or print a copy of this E-mail,
please place it in an appropriate file, depending on whether
confidential information is contained in the message.
[Attachment #3 (text/html)]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML xmlns:eXclaimer =
"http://www.exclaimer.co.uk"><HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<TITLE>Message</TITLE>
<META content="MSHTML 6.00.2800.1400" name=GENERATOR></HEAD>
<BODY>
<DIV><SPAN class=173244617-21102004><FONT face=Arial color=#0000ff size=2>on aix
4.3.3, i dont think so. if ibm released a random device (433) i dont
recall hearing about it..</FONT></SPAN></DIV>
<BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma
size=2>-----Original Message-----<BR><B>From:</B> owner-nssldap@padl.com
[mailto:owner-nssldap@padl.com]<B>On Behalf Of </B>Lam, Eric<BR><B>Sent:</B>
Thursday, October 21, 2004 12:12 PM<BR><B>To:</B> Lam, Eric; Wang, Yu;
nssldap@padl.com<BR><B>Subject:</B> RE: [nssldap] SSL on AIX
4.3.3<BR><BR></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=801291116-21102004>I
found the issue. It requires prndg to support SSL. Is there a way to avoid
running prngd ?</SPAN></FONT></DIV>
<BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px">
<DIV></DIV>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left><FONT
face=Tahoma size=2>-----Original Message-----<BR><B>From:</B> Lam, Eric
<BR><B>Sent:</B> Thursday, October 21, 2004 11:37 AM<BR><B>To:</B> 'Wang,
Yu'; nssldap@padl.com<BR><B>Subject:</B> RE: [nssldap] SSL on AIX
4.3.3<BR><BR></FONT></DIV>
<DIV>
<DIV><SPAN class=170231822-20102004><FONT face=Arial size=2><SPAN
class=170231822-20102004><SPAN class=963422215-21102004>Now I see this error
when I run ldapsearch on aix 4.3.3. Any idea ? The AIX 5.1 and 5.2 has no
issue on ldapsearch with -Z option.</SPAN></SPAN></FONT></SPAN></DIV>
<DIV><SPAN class=170231822-20102004><FONT face=Arial size=2><SPAN
class=170231822-20102004><SPAN
class=963422215-21102004></SPAN></SPAN></FONT></SPAN> </DIV>
<DIV><SPAN class=170231822-20102004><FONT face=Arial><FONT size=2><SPAN
class=170231822-20102004> </SPAN>ldap_start_tls: Connect
error (-11)</FONT></FONT></DIV>
<DIV>
<P><FONT face=Arial><FONT size=2><SPAN
class=170231822-20102004> </SPAN>additional info:
error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not
seeded<SPAN class=963422215-21102004><FONT
color=#0000ff> </FONT></SPAN></FONT></FONT></P>
<P><FONT face=Arial><FONT size=2><SPAN class=963422215-21102004><FONT
color=#0000ff>Thanks</FONT> </SPAN></FONT></FONT></SPAN><FONT
face=Tahoma><FONT size=2><SPAN class=963422215-21102004><FONT face=Arial
color=#0000ff> </FONT></SPAN></FONT></FONT></P></DIV></DIV>
<BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left><FONT
face=Tahoma><FONT size=2><SPAN
class=963422215-21102004></SPAN></FONT></FONT> </DIV>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left><FONT
face=Tahoma><FONT size=2><SPAN
class=963422215-21102004> </SPAN>-----Original
Message-----<BR><B>From:</B> Wang, Yu [mailto:ywang@unf.edu]
<BR><B>Sent:</B> Thursday, October 21, 2004 9:17 AM<BR><B>To:</B> Lam,
Eric; nssldap@padl.com<BR><B>Subject:</B> RE: [nssldap] SSL on AIX
4.3.3<BR><BR></DIV></FONT></FONT>
<DIV><FONT face=Verdana color=#000080 size=2><SPAN
class=308270413-21102004>I would definitely go get ldapsearch work under
ssl first. Turn on debug would help you to see where the connection
failed. To me it looks like the CA certificate verification failed. Also
pay attention to the path to the CA cert. Your openldap and nssldap
may be configured to look into different places for the cert.
</SPAN></FONT></DIV>
<DIV><FONT face=Verdana color=#000080 size=2><SPAN
class=308270413-21102004></SPAN></FONT> </DIV>
<DIV><FONT face=Verdana color=#000080 size=2><SPAN
class=308270413-21102004>You can also use openssl command to verify your
cert:</SPAN></FONT></DIV>
<DIV><FONT face=Verdana color=#000080 size=2>openssl s_client
-CAfile <SPAN class=308270413-21102004>/path/to/</SPAN>ca<SPAN
class=308270413-21102004>cert</SPAN>.pem -connect <SPAN
class=308270413-21102004>your</SPAN><SPAN
class=308270413-21102004>ldapserver</SPAN>:636</FONT></DIV>
<P><FONT face=Verdana size=2>--Yu Wang</FONT> </P>
<P><FONT face=Verdana size=2>Information Technology Services</FONT>
<BR><FONT face=Verdana size=2>University of North Florida</FONT> <BR><FONT
face=Verdana size=2>(904) 620-2820</FONT> </P>
<DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma
size=2>-----Original Message-----<BR><B>From:</B> owner-nssldap@padl.com
[mailto:owner-nssldap@padl.com]<B>On Behalf Of </B>Chapman,
Kyle<BR><B>Sent:</B> Wednesday, October 20, 2004 5:16 PM<BR><B>To:</B>
nssldap@padl.com<BR><B>Subject:</B> RE: [nssldap] SSL on AIX
4.3.3<BR><BR></FONT></DIV>
<DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=683183321-20102004>it does work. your openldap exes
(ldapsearch, ldapmodify, etc..) should be working with ssl/tls.
this way, you can verify that ssl/tls is working at all before trying to
make nss_ldap use ssl/tls.</SPAN></FONT></DIV>
<BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma
size=2>-----Original Message-----<BR><B>From:</B> owner-nssldap@padl.com
[mailto:owner-nssldap@padl.com]<B>On Behalf Of </B>Lam,
Eric<BR><B>Sent:</B> Wednesday, October 20, 2004 4:33 PM<BR><B>To:</B>
nssldap@padl.com<BR><B>Subject:</B> [nssldap] SSL on AIX
4.3.3<BR><BR></FONT></DIV><!-- Converted from text/rtf format -->
<P><FONT face="Courier New" size=2>Now I have both NSS_LDAP 2.20 and
2.17 working on AIX 4.3.3. However, SSL connection does not work.
</FONT></P>
<P><FONT face="Courier New" size=2>The iPlanet LDAP server see SSL
connection request from my system, but close it right away. My system
did not send any search or bind request.</FONT></P>
<P><FONT face="Courier New" size=2>In non-SSL, I have no problem to
logon.</FONT> </P>
<P><FONT face="Courier New" size=2>Does anyone know if AIX 4.3.3 support
SSL at all using NSS_LADP ?</FONT> </P>
<P><FONT face="Courier New" size=2>I am compiling with OpenSSL 0.9.7d
and OpenLDAP 2.2.7.</FONT> </P>
<P><FONT face="Courier New" size=2>Thanks<BR><BR>Eric</FONT>
</P></BLOCKQUOTE></DIV>
<DIV><FONT size=1></FONT></DIV>
<DIV><FONT size=1>NOTICE: This E-mail may contain confidential
information. If you are not<BR>the addressee or the intended recipient
please do not read this E-mail<BR>and please immediately delete this
e-mail message and any attachments<BR>from your workstation or network
mail system. If you are the addressee<BR>or the intended recipient and you
save or print a copy of this E-mail,<BR>please place it in an appropriate
file, depending on whether<BR>confidential information is contained in the
message.<BR><BR></FONT></DIV></BLOCKQUOTE></BLOCKQUOTE></BLOCKQUOTE><FONT
size=+0></FONT></BODY></HTML>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic