Hello,
you were right. The only way to get the PKCS#11 access working, was to
patch the tls_g.c file using gnutls_certificate_set_x509_key_file
instead of gnutls_certificate_set_x509_key. The former function also
handles PKCS#11 URIs. So the tlsg_get_file function is obsolete.
After
After I recompiled OpenLDAP to use the Mozilla NSS framework (quite
complicated process - see
http://www.openldap.org/faq/data/cache/196.html) I created a new
certificate database directory structure and added the PKCS#11 module
of my smartcard with modutil (but without specifying any
After I managed to connect to the LDAP server with gnutls-cli (with a
PKCS#11 URI containing a pinfile attribute) I tried to set those
PKCS#11 URIs to the ldaprc settings TLS_KEY and TLS_CERT. But these
settings are handled as PEM encoded file (see function tlsg_ctx_init in
tls_g.c) and a
Stefan Scheidewig wrote:
After I managed to connect to the LDAP server with gnutls-cli (with a PKCS#11
URI containing a pinfile attribute) I tried to set those PKCS#11 URIs to the
ldaprc settings TLS_KEY and TLS_CERT. But these settings are handled as PEM
encoded file (see function
Michael Ströder wrote:
Stefan Scheidewig wrote:
After I managed to connect to the LDAP server with gnutls-cli (with a PKCS#11
URI containing a pinfile attribute) I tried to set those PKCS#11 URIs to the
ldaprc settings TLS_KEY and TLS_CERT. But these settings are handled as PEM
encoded file
Looks promising. For instance the function PK11_FindKeyByDERCert in
tls_m.c . I will try it with this one.
Am 24.06.2013 18:26, schrieb Michael Ströder:
Stefan Scheidewig wrote:
After I managed to connect to the LDAP server with gnutls-cli (with a PKCS#11
URI containing a pinfile attribute) I
On 06/17/13 10:26 +0200, Stefan Scheidewig wrote:
Hello,
we have two LDAP instances. LDAP A acts as proxy for LDAP B using the
ldap-backend. Now we configured LDAP B to use client authentication.
We successfully established a connection to LDAP B using OpenSSL
s_client and the PKCS#11 engine
It seems that this special configuration is not possible.
Trying to set the key will always result in
TLS: could not use key file `xyz'.
TLS: error:02001002:system library:fopen:No such file or directory
bss_file.c:398
TLS: error:20074002:BIO routines:FILE_CTRL:system lib bss_file.c:400
TLS:
On 06/17/13 16:54 +0200, Stefan Scheidewig wrote:
It seems that this special configuration is not possible.
Trying to set the key will always result in
TLS: could not use key file `xyz'.
TLS: error:02001002:system library:fopen:No such file or directory
bss_file.c:398
TLS: error:20074002:BIO