[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Re: ldap and tls

Check this discussion


seems that gnutls has different way of specifying ciphers to use. Also
there is a mentioning of CN not matching FQDN in certificate.

I was always happy just setting minssf value in slapd.conf.


On Tue, Mar 31, 2009 at 10:38 PM, Maria McKinley <maria@shadlen.org> wrote:
> Predrag Gavrilovic wrote:
> Thanks for the troubleshooting hints, comments in line.
> Predrag Gavrilovic wrote:
>> Are you sure that problem is not related to something simple as file
>> permissions on private key for server certificate? Because that is
>> only an last time when I had problems with openldap and certificates.
> Permissions and ownership seem fine.
>> gnutls doesn't support TLS_CACERTDIR option, that is setting
>> TLSCACertificatePath in slapd.conf. That means that CA certificates
>> must reside in single file. update-ca-certificates can create that
>> file for you. As far as I know that is main difference between using
>> one or the other.
> I only have one CA certificate. I tried combining with my other certificate,
> but this didn't help. Here is the info from my slapd.conf:
> # TLS encryption parameters (when I combined the certificates, I
> # commented out the TLSCertificateFile line)
> TLSCACertificateFile /etc/ldap/certs/ca-certificates.crt
> TLSCertificateFile /etc/ldap/certs/ldap.shadlen.crt
> TLSCertificateKeyFile /etc/ldap/certs/ldap.shadlen.key
> TLSCipherSuite HIGH
>> Try stoping slapd, put certificate information in config file, and
>> start slapd manualy with debugging "slapd -u openldap  -g openldap -h
>> ldapi:/// -d255". Are there more indicative error messages?
> Here is what I believe are the relevant lines
> TLS: could not set cipher list HIGH.
> main: TLS init def ctx failed: -1
> slapd destroy: freeing system resources.
> slapd stopped.
> connections_destroy: nothing to destroy.
> Just in case, I have put the full output up on the web:
> http://www.shadlen.org/~maria/pmwiki/Work/Error-log
> Also, maybe this is helpful?
> test:~# openssl s_client -connect localhost:389 -showcerts
> CONNECTED(00000003)
> 13539:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
> failure:s23_lib.c:188:
> thanks for the help,
> maria
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject
> of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: