>>> Siddharth Jain <siddj...@live.com> schrieb am 05.10.2020 um 21:02 in Nachricht <mwhpr08mb24009b17ed73c713bba2180cb5...@mwhpr08mb2400.namprd08.prod.outlook.com>
> we have made some progress. On Linux machine we don't get that error but get > another error instead. > TLS certificate verification: Error, self signed certificate in certificate > chain > > It looks like it complains about a self‑signed certificate but that > certificate is that of the root CA and by definition that will be self‑signed. Right, but it could be that you have to explicitly trust such certificates. In recent SLES there exists a "trust anchor ..." command to add CA certificates to the system. The "Mickey Mouse" CA most likely isn't standard... > > ldap_url_parse_ext(ldaps://ldap.foo.com:636) > ldap_create > ldap_url_parse_ext(ldaps://ldap.foo.com:636/??base) > ldap_sasl_bind > ldap_send_initial_request > ldap_new_connection 1 1 0 > ldap_int_open_connection > ldap_connect_to_host: TCP ldap.foo.com:636 > ldap_new_socket: 3 > ldap_prepare_socket: 3 > ldap_connect_to_host: Trying 10.67.242.198:636 > ldap_pvt_connect: fd: 3 tm: ‑1 async: 0 > attempting to connect: > connect success > TLSMC: MozNSS compatibility interception begins. > tlsmc_intercept_initialization: INFO: entry options follow: > tlsmc_intercept_initialization: INFO: cacertdir = `/etc/openldap/certs' > tlsmc_intercept_initialization: INFO: certfile = > `/home/client/client_tls_cert.pem' > tlsmc_intercept_initialization: INFO: keyfile = > `/home/client/client_tls_key.pem' > tlsmc_convert: INFO: trying to open NSS DB with CACertDir = > `/etc/openldap/certs'. > tlsmc_open_nssdb: INFO: trying to initialize moznss using security dir > `/etc/openldap/certs` prefix ``. > tlsmc_open_nssdb: INFO: initialized MozNSS context. > tlsmc_convert: INFO: trying with PEM dir = > `/tmp/openldap‑tlsmc‑certs‑‑25EC8C7E40D4FF3F7189B2C57C0F6A5C06BB35FD39F93 > 91B99227E99F66E15B6'. > tlsmc_convert: INFO: using the existing PEM dir. > tlsmc_intercept_initialization: INFO: altered options follow: > tlsmc_intercept_initialization: INFO: cacertdir = > `/tmp/openldap‑tlsmc‑certs‑‑25EC8C7E40D4FF3F7189B2C57C0F6A5C06BB35FD39F93 > 91B99227E99F66E15B6/cacerts' > tlsmc_intercept_initialization: INFO: certfile = > `/tmp/openldap‑tlsmc‑certs‑‑25EC8C7E40D4FF3F7189B2C57C0F6A5C06BB35FD39F93 > 91B99227E99F66E15B6/cert.pem' > tlsmc_intercept_initialization: INFO: keyfile = > `/tmp/openldap‑tlsmc‑certs‑‑25EC8C7E40D4FF3F7189B2C57C0F6A5C06BB35FD39F93 > 91B99227E99F66E15B6/key.pem' > tlsmc_intercept_initialization: INFO: successfully intercepted TLS > initialization. Continuing with OpenSSL only. > TLSMC: MozNSS compatibility interception ends. > TLS trace: SSL_connect:before/connect initialization > TLS trace: SSL_connect:SSLv2/v3 write client hello A > TLS trace: SSL_connect:SSLv3 read server hello A > TLS certificate verification: depth: 2, err: 19, subject: /C=US/ST=CA/L=San > Francisco/O=foo/OU=HR/CN=Mickey Mouse, issuer: /C=US/ST=CA/L=San > Francisco/O=foo/OU=HR/CN=Mickey Mouse > TLS certificate verification: Error, self signed certificate in certificate > chain > TLS trace: SSL3 alert write:fatal:unknown CA > TLS trace: SSL_connect:error in error > TLS trace: SSL_connect:error in error > TLS: can't connect: error:14090086:SSL > routines:ssl3_get_server_certificate:certificate verify failed (self signed > certificate in certificate chain). > ldap_err2string > ldap_sasl_bind(SIMPLE): Can't contact LDAP server (‑1) > > ________________________________ > From: Quanah Gibson‑Mount <qua...@symas.com> > Sent: Monday, October 5, 2020 11:10 AM > To: Siddharth Jain <siddj...@live.com>; openldap‑techni...@openldap.org > <openldap‑techni...@openldap.org> > Subject: Re: TLS: during handshake: Peer certificate is not trusted: > kSecTrustResultRecoverableTrustFailure > > > > ‑‑On Monday, October 5, 2020 6:48 PM +0000 Siddharth Jain > <siddj...@live.com> wrote: > >> TLS: during handshake: peer cert is valid, or was ignored if verification >> disabled (‑9841) TLS: during handshake: Peer certificate is not trusted: >> kSecTrustResultRecoverableTrustFailure > > This message comes from Apple's TLS library. This would indicate that > you're using a hacked version of OpenLDAP. We cannot offer support for a > hacked version of OpenLDAP. You will need to ask Apple for help on how to > correctly configure TLS within their environment. > > Regards, > Quanah > > > ‑‑ > > Quanah Gibson‑Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com>
