Re: [users@httpd] mod_authnz_ldap and SSL

Wed, 17 Oct 2007 21:14:15 -0700 

Eric Covener wrote:

On 10/17/07, Alexander Fortin <[EMAIL PROTECTED]> wrote:

<IfModule util_ldap.c>
         LDAPTrustedGlobalCert CA_BASE64 /etc/ssl/certs/cacert.pem
         LDAPTrustedMode SSL
         LDAPVerifyServerCert off
</IfModule>


Wireshark will format the initial stages of the handshake pretty
nicely, you might see something fishy or a plaintext SSL Alert.

Can openssl handshake w/ the ldap server?  Is its cert  issued by that
cacert.pem?  Can openssl validate the cert chain when you give it that
same cacert.pem?



Yes, openssl looks fine to me. Or at least from the console:


# openssl s_client -connect myldapserver:636 -CAfile 
/etc/ssl/certs/cacert.pem


CONNECTED(00000003)
---
Certificate chain

 0 s:/C=AU/ST=Western Australia/L=myplace/O=mycompany Pty 
Ltd/OU=Internet Services/CN=myldapserver/[EMAIL PROTECTED]
   i:/C=AU/ST=Western Australia/L=myplace/O=mycompany Pty 
Ltd/OU=Internet Services/CN=Security Administration/[EMAIL PROTECTED]
 1 s:/C=AU/ST=Western Australia/L=myplace/O=mycompany Pty 
Ltd/OU=Internet Services/CN=Security Administration/[EMAIL PROTECTED]
   i:/C=AU/ST=Western Australia/L=myplace/O=mycompany Pty 
Ltd/OU=Internet Services/CN=Security Administration/[EMAIL PROTECTED]

---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEXjCCA8egAwIBAgIBAzANBgkqhkiG9w0BAQQFADCByjELMAkGA1UEBhMCQVUx
[...]
-----END CERTIFICATE-----

subject=/C=AU/ST=Western Australia/L=myplace/O=mycompany Pty 
Ltd/OU=Internet services/CN=myldpaserver/[EMAIL PROTECTED]
issuer=/C=AU/ST=Western Australia/L=myplace/O=mycompany Pty 
Ltd/OU=Internet Services/CN=Security Administration/[EMAIL PROTECTED]

---
No client certificate CA names sent
---
SSL handshake has read 2364 bytes and written 308 bytes
---
New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DES-CBC3-SHA

    Session-ID: 
6BE2EE5A88866AB4D8303ECBB0BD1CA5DD905E3EC5DDBA9A3A1D0652EB3B6829

    Session-ID-ctx:

    Master-Key: 
0454B3AF0B372ED6B530FA25C57DC3E34049A58125EBC99A25B674D9545BE7322D536273C654C53CE9C58DDE410A8A7C

    Key-Arg   : None
    Start Time: 1192679978
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---


--
Alexander Fortin
IT Consultant
Informed Technology Pty Ltd
E-mail: [EMAIL PROTECTED]
Ph: 08 9460 4888  Fax: 08 9460 4877

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]























					Reply via email to