Hi Atle,
in my case I am certificate agency (self-signed
certificate) and I issue "private key" and "certificate"
(cacert.pem) as for root "CA" as for LDAP server (server-key.pem
and server-cert.pem) and LDAP perl script client (client-key.pem
and client-cert.pem).
The script and client run on the same computer (for the
moment) and LDAP server private key (private/server-key.pem) and
certificate (certs/server-cert.pem) located in /etc/ssl/ directory.
CA root certificate (certs/cacert.pem) is located in
/etc/ssl/certs directory -- and as recommended I created
certificate named using hash value
URL: https://metacpan.org/pod/Net::LDAP#start_tls
ln -s cacert.pem `openssl x509 -hash -noout
< cacert.pem`.0
Client (perl script) has reference to client's key/cert in the
script which is stored in sub-directory 'certs' where located the
script (certs/client-key.pem and certs/client-cert.pem).
At the moment I am not fully grasp why verification of server
certificate fails.
I am welcome any ideas how to fix it.
NOTE: It is my first attempt to program with Net::LDAP and
start_tls -- I am in process of learning how it works and how to
program to use LDAP over TLS in perl.
Thanks for any input,
Andrew
On 4/13/2014 12:43 PM, Atle
Solbakken wrote:
If I made a change in "start_tls"
command for option "verify => none" to one of 'optional' or
'required' then I get next error message
root@install:~/prog# ./ldap_sec.pl
SSL connect attempt failed with unknown error
error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
at ./ldap_sec.pl line 25, <DATA> line 751.
root@install:~/prog#
It seems to me that the "verify"-option tells Net::LDAP
whether it should verify that the certificate the server you are
connecting to is using has been signed by a known certificate
authority (listed in /etc/ssl/certs).
start_tls will fail if the server does not provide any
certificate, or if the certificate is not signed by a CA (ref
http://search.cpan.org/~marschap/perl-ldap/lib/Net/LDAP.pod ).
Atle.
|