[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ldap and tls

Are you sure that problem is not related to something simple as file
permissions on private key for server certificate? Because that is
only an last time when I had problems with openldap and certificates.
gnutls doesn't support TLS_CACERTDIR option, that is setting
TLSCACertificatePath in slapd.conf. That means that CA certificates
must reside in single file. update-ca-certificates can create that
file for you. As far as I know that is main difference between using
one or the other.
Try stoping slapd, put certificate information in config file, and
start slapd manualy with debugging "slapd -u openldap  -g openldap -h
ldapi:/// -d255". Are there more indicative error messages?

gp

On Fri, Mar 27, 2009 at 1:56 AM, Maria McKinley <maria@shadlen.org> wrote:
> I have been trying to get ldap to work with tls for a while, and have been
> having a hard time. When I have the certificate info in slapd.conf, slapd
> refuses to start, giving me the error:
>
> main: TLS init def ctx failed: -1
>
> With the certificate lines commented out, slapd starts with no problem, of
> course. I've done a bunch of poking about, and the problem seems to be
> related to the change in the way slapd is built in debian. With Lenny,
> debian slapd is built with libgnutls instead of openssl. Unfortunately, all
> of the instructions I can find for setting up certificates for debian slapd
> use openssl. How do I get certificates made with openssl to work with slapd
> now that it is build with libgnutls, or is there another way to make
> certificates now? And how do I verify that my certificates are built
> correctly using libgnutls? It seems to be set up correctly, but I'm not sure
> how to test the certificates themselves:
>
> test:/etc/ssl/certs# gnutls-cli -l :High
> Cipher suites:
> TLS_ANON_DH_ARCFOUR_MD5                                 0x00, 0x18
>  SSL3.0
> TLS_ANON_DH_3DES_EDE_CBC_SHA1                           0x00, 0x1b
>  SSL3.0
> TLS_ANON_DH_AES_128_CBC_SHA1                            0x00, 0x34
>  SSL3.0
> TLS_ANON_DH_AES_256_CBC_SHA1                            0x00, 0x3a
>  SSL3.0
> TLS_ANON_DH_CAMELLIA_128_CBC_SHA1                       0x00, 0x46
>  TLS1.0
> TLS_ANON_DH_CAMELLIA_256_CBC_SHA1                       0x00, 0x89
>  TLS1.0
> TLS_PSK_SHA_ARCFOUR_SHA1                                0x00, 0x8a
>  TLS1.0
> TLS_PSK_SHA_3DES_EDE_CBC_SHA1                           0x00, 0x8b
>  TLS1.0
> TLS_PSK_SHA_AES_128_CBC_SHA1                            0x00, 0x8c
>  TLS1.0
> TLS_PSK_SHA_AES_256_CBC_SHA1                            0x00, 0x8d
>  TLS1.0
> TLS_DHE_PSK_SHA_ARCFOUR_SHA1                            0x00, 0x8e
>  TLS1.0
> TLS_DHE_PSK_SHA_3DES_EDE_CBC_SHA1                       0x00, 0x8f
>  TLS1.0
> TLS_DHE_PSK_SHA_AES_128_CBC_SHA1                        0x00, 0x90
>  TLS1.0
> TLS_DHE_PSK_SHA_AES_256_CBC_SHA1                        0x00, 0x91
>  TLS1.0
> TLS_SRP_SHA_3DES_EDE_CBC_SHA1                           0xc0, 0x1a
>  TLS1.0
> TLS_SRP_SHA_AES_128_CBC_SHA1                            0xc0, 0x1d
>  TLS1.0
> TLS_SRP_SHA_AES_256_CBC_SHA1                            0xc0, 0x20
>  TLS1.0
> TLS_SRP_SHA_DSS_3DES_EDE_CBC_SHA1                       0xc0, 0x1c
>  TLS1.0
> TLS_SRP_SHA_RSA_3DES_EDE_CBC_SHA1                       0xc0, 0x1b
>  TLS1.0
> TLS_SRP_SHA_DSS_AES_128_CBC_SHA1                        0xc0, 0x1f
>  TLS1.0
> TLS_SRP_SHA_RSA_AES_128_CBC_SHA1                        0xc0, 0x1e
>  TLS1.0
> TLS_SRP_SHA_DSS_AES_256_CBC_SHA1                        0xc0, 0x22
>  TLS1.0
> TLS_SRP_SHA_RSA_AES_256_CBC_SHA1                        0xc0, 0x21
>  TLS1.0
> TLS_DHE_DSS_ARCFOUR_SHA1                                0x00, 0x66
>  TLS1.0
> TLS_DHE_DSS_3DES_EDE_CBC_SHA1                           0x00, 0x13
>  SSL3.0
> TLS_DHE_DSS_AES_128_CBC_SHA1                            0x00, 0x32
>  SSL3.0
> TLS_DHE_DSS_AES_256_CBC_SHA1                            0x00, 0x38
>  SSL3.0
> TLS_DHE_DSS_CAMELLIA_128_CBC_SHA1                       0x00, 0x44
>  TLS1.0
> TLS_DHE_DSS_CAMELLIA_256_CBC_SHA1                       0x00, 0x87
>  TLS1.0
> TLS_DHE_RSA_3DES_EDE_CBC_SHA1                           0x00, 0x16
>  SSL3.0
> TLS_DHE_RSA_AES_128_CBC_SHA1                            0x00, 0x33
>  SSL3.0
> TLS_DHE_RSA_AES_256_CBC_SHA1                            0x00, 0x39
>  SSL3.0
> TLS_DHE_RSA_CAMELLIA_128_CBC_SHA1                       0x00, 0x45
>  TLS1.0
> TLS_DHE_RSA_CAMELLIA_256_CBC_SHA1                       0x00, 0x88
>  TLS1.0
> TLS_RSA_NULL_MD5                                        0x00, 0x01
>  SSL3.0
> TLS_RSA_EXPORT_ARCFOUR_40_MD5                           0x00, 0x03
>  SSL3.0
> TLS_RSA_ARCFOUR_SHA1                                    0x00, 0x05
>  SSL3.0
> TLS_RSA_ARCFOUR_MD5                                     0x00, 0x04
>  SSL3.0
> TLS_RSA_3DES_EDE_CBC_SHA1                               0x00, 0x0a
>  SSL3.0
> TLS_RSA_AES_128_CBC_SHA1                                0x00, 0x2f
>  SSL3.0
> TLS_RSA_AES_256_CBC_SHA1                                0x00, 0x35
>  SSL3.0
> TLS_RSA_CAMELLIA_128_CBC_SHA1                           0x00, 0x41
>  TLS1.0
> TLS_RSA_CAMELLIA_256_CBC_SHA1                           0x00, 0x84
>  TLS1.0
> Certificate types: X.509, OPENPGP
> Protocols: SSL3.0, TLS1.0, TLS1.1, TLS1.2
> Ciphers: AES-256-CBC, AES-128-CBC, 3DES-CBC, DES-CBC, ARCFOUR-128,
> ARCFOUR-40, RC2-40, CAMELLIA-256-CBC, CAMELLIA-128-CBC, NULL
> MACs: SHA1, MD5, SHA256, SHA384, SHA512, MD2, RIPEMD160, NULL
> Key exchange algorithms: ANON-DH, RSA, RSA-EXPORT, DHE-RSA, DHE-DSS,
> SRP-DSS, SRP-RSA, SRP, PSK, DHE-PSK
> Compression: DEFLATE, NULL
>
>
> Thank you,
> maria
>
>
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject
> of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>
Reply to: