--On Friday, October 17, 2008 7:30 PM +0200 [EMAIL PROTECTED] wrote:
Quanah Gibson-Mount wrote:
--On Friday, October 17, 2008 6:21 PM +0200 Mayer Gabor
<[EMAIL PROTECTED]> wrote:
Package: libldap-2.4-2
Version: 2.4.11-1
Severity: normal
server slapd.conf:
TLSCACertificateFile /etc/ldap/server.crt
TLSCertificateFile /etc/ldap/server.crt
TLSCertificateKeyFile /etc/ldap/server.key
TLSVerifyClient true
client ldap.conf:
BASE dc=example,dc=org
URI ldaps://ldap.example.org
TLS_CACERT /etc/ldap/server.crt
TLS_CERT /etc/ldap/server.crt
TLS_KEY /etc/ldap/server.key
client log:
ldapsearch -d 255 -x
TLS: can't connect: A TLS fatal alert has been received..
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
server log:
TLS trace: SSL3 alert write:fatal:handshake failure
TLS trace: SSL_accept:error in SSLv3 read client certificate B
TLS: can't accept.
TLS: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did
not
return a certificate s3_srvr.c:2455
The client got the server's certificate well, but the client doesn't send
his own certificate to the server. SSL3_GET_CLIENT_CERTIFICATE:peer did
not return a certificate s3_srvr.c:2455
You're client log and server log snippets don't make sense. The client
says it couldn't contact any LDAP server (-1). Are you sure you're looking
at the same connection data?
Also, what specifically are you trying to accomplish? A SASL/EXTERNAL
bind? That can't be done with the "-x" option. If you're only trying to
set up SSL/TLS between the client & server, get rid of the TLS_CERT and
TLS_KEY parameters (those are user only, for SASL/EXTERNAL binds), and make
sure that the TLS_CACERT is pointing to the CA for the LDAP server.
--Quanah
--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
