I'm trying to figure out what's wrong with my OpenLDAP setup. I have
the same problem that gdowle had, but I'm already using an x509 V3 CA
Certificate using sha1WithRSAEncryption as a Signing Algorithm. Here's
some relevant information:
openssl s_client -connect serv1.myorganization.com:636 -showcerts -CAfile
/etc/openldap/ssl/cacert.pem
The output is a bunch of certificate information and then at the end:
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: 816212B370246B17944C3E6F39017C8413643AF164EFC3EDD240CD751D370FFB
Session-ID-ctx:
Master-Key:
5970251BDBD2A821813659ECCF6FA2A04EF13C8D386817E15F093475488B510AFDF984D850C5B1ADA776067D8D879F91
Key-Arg : None
Start Time: 1266594131
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
DONE
but this does not work:
gnutls-cli --print-cert -p 636 --x509cafile /etc/openldap/ssl/cacert.pem
serv1.myorganization.com
Connecting to 'XXX.XXX.XXX.XXX:636'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
# The hostname in the certificate matches 'serv1.myorganization.com'.
# valid since: Tue Apr 28 10:55:23 EDT 2009
# expires at: Fri Apr 26 10:55:23 EDT 2019
# fingerprint: B1:A0:5F:02:C0:72:BE:2C:7F:AC:3E:B1:05:74:93:A1
# Subject's DN: ...
- Certificate[1] info:
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
# valid since: Tue Apr 28 10:46:26 EDT 2009
# expires at: Fri Apr 26 10:46:26 EDT 2019
# fingerprint: 0D:1C:D5:AA:BC:3B:23:4F:95:51:1C:7F:78:1D:49:B7
# Subject's DN:...
- Peer's certificate is NOT trusted
- Version: TLS 1.0
- Key Exchange: RSA
- Cipher: AES 256 CBC
- MAC: SHA
- Compression: DEFLATE
*** Verifying server certificate failed...
I thought that this bug might have been relevant, but gdowle's fix was to
create an x509 v3 certificate using the Signature
Algorithm sha1With RSAEncryption, but that's what we have already...
openssl x509 -in /etc/openldap/ssl/cacert.pem -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha1WithRSAEncryption
Issuer:...
Validity
Not Before: Apr 28 14:46:26 2009 GMT
Not After : Apr 26 14:46:26 2019 GMT
Subject: ...
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit): ...
Exponent: ...
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
3D:B9:10:D1:81:97:38:04:6C:5D:7C:6C:6C:7B:FE:8B:DF:BA:E3:B4
X509v3 Authority Key Identifier:
keyid:3D:B9:10:D1:81:97:38:04:6C:5D:7C:6C:6C:7B:FE:8B:DF:BA:E3:B4
Signature Algorithm: sha1WithRSAEncryption
One thing that worries me is this:
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
The CA was made by
openssl req -new -keyout private/cakey.pem -out careq.pem
openssl ca -out cacert.pem -in careq.pem -days 3650 -keyfile private/cakey.pem
-selfsign
but some guides I see say to generate it with openssl req -new -x509
-days 3650 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem
-config /etc/ssl/openssl.cnf
Was the CA made incorrectly?
--
"TLS: peer cert untrusted or revoked (0x82)" error in Hardy's version of
ldap-utils
https://bugs.launchpad.net/bugs/257153
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
