[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Q: LDAP - perl script using Net::LDAP and start_tls gives an error

On 04/13/2014 04:45 PM, Snow Leopard wrote:
Hi Atle,

in my case I am certificate agency (self-signed certificate) and I issue "private key" and "certificate" (cacert.pem) as for root "CA" as for LDAP server (server-key.pem and server-cert.pem) and LDAP perl script client (client-key.pem and client-cert.pem).

The script and client run on the same computer (for the moment) and LDAP server private key (private/server-key.pem) and certificate (certs/server-cert.pem) located in /etc/ssl/ directory. CA root certificate (certs/cacert.pem) is located in /etc/ssl/certs directory -- and as recommended I created certificate named using hash value

URL: https://metacpan.org/pod/Net::LDAP#start_tls

|ln -s cacert.pem `openssl x509 -hash -noout < cacert.pem`.0

Client (perl script) has reference to client's key/cert in the script which is stored in sub-directory 'certs' where located the script (certs/client-key.pem and certs/client-cert.pem).

At the moment I am not fully grasp why verification of server certificate fails.

I am welcome any ideas how to fix it.

NOTE: It is my first attempt to program with Net::LDAP and start_tls -- I am in process of learning how it works and how to program to use LDAP over TLS in perl.

Thanks for any input,


On 4/13/2014 12:43 PM, Atle Solbakken wrote:

If I made a change in "start_tls" command for option "verify => none" to one of 'optional' or 'required' then I get next error message

root@install:~/prog# ./ldap_sec.pl
SSL connect attempt failed with unknown error error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed at ./ldap_sec.pl line 25, <DATA> line 751.

It seems to me that the "verify"-option tells Net::LDAP whether it should verify that the certificate the server you are connecting to is using has been signed by a known certificate authority (listed in /etc/ssl/certs).

start_tls will fail if the server does not provide any certificate, or if the certificate is not signed by a CA (ref http://search.cpan.org/~marschap/perl-ldap/lib/Net/LDAP.pod ).

I think it would be better if there was an easier way. Especailly for older non-elastic brains. :) Ric


My father, Victor Moore (Vic) used to say:

"There are two Great Sins in the world...

..the Sin of Ignorance, and the Sin of Stupidity.

Only the former may be overcome." R.I.P. Dad.


X-oldie-warning: Toothless but still vicious

Reply to: