[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Re: ldap and tls



Check this discussion

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=462588

seems that gnutls has different way of specifying ciphers to use. Also
there is a mentioning of CN not matching FQDN in certificate.

I was always happy just setting minssf value in slapd.conf.

gp

On Tue, Mar 31, 2009 at 10:38 PM, Maria McKinley <maria@shadlen.org> wrote:
> Predrag Gavrilovic wrote:
>
> Thanks for the troubleshooting hints, comments in line.
>
> Predrag Gavrilovic wrote:
>
>> Are you sure that problem is not related to something simple as file
>> permissions on private key for server certificate? Because that is
>> only an last time when I had problems with openldap and certificates.
>
> Permissions and ownership seem fine.
>
>> gnutls doesn't support TLS_CACERTDIR option, that is setting
>> TLSCACertificatePath in slapd.conf. That means that CA certificates
>> must reside in single file. update-ca-certificates can create that
>> file for you. As far as I know that is main difference between using
>> one or the other.
>
> I only have one CA certificate. I tried combining with my other certificate,
> but this didn't help. Here is the info from my slapd.conf:
>
> # TLS encryption parameters (when I combined the certificates, I
> # commented out the TLSCertificateFile line)
> TLSCACertificateFile /etc/ldap/certs/ca-certificates.crt
> TLSCertificateFile /etc/ldap/certs/ldap.shadlen.crt
> TLSCertificateKeyFile /etc/ldap/certs/ldap.shadlen.key
> TLSCipherSuite HIGH
>
>> Try stoping slapd, put certificate information in config file, and
>> start slapd manualy with debugging "slapd -u openldap  -g openldap -h
>> ldapi:/// -d255". Are there more indicative error messages?
>
> Here is what I believe are the relevant lines
>
> TLS: could not set cipher list HIGH.
> main: TLS init def ctx failed: -1
> slapd destroy: freeing system resources.
> slapd stopped.
> connections_destroy: nothing to destroy.
>
> Just in case, I have put the full output up on the web:
>
> http://www.shadlen.org/~maria/pmwiki/Work/Error-log
>
> Also, maybe this is helpful?
>
> test:~# openssl s_client -connect localhost:389 -showcerts
> CONNECTED(00000003)
> 13539:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
> failure:s23_lib.c:188:
>
> thanks for the help,
> maria
>
>
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject
> of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>


Reply to: