Good call on using curl and openssl.
Code:
curl https://myldap.srv:636/
Result:
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
However, if I then use the following, it works:
Code:
curl --cacert /etc/ldap/cacert.pem https://myldap.srv:636/
Result:
curl: (52) Empty reply from server
This is specifying the explicit location of the public cacert.pem file distributed by my signing box.
Which kind of suggests my ldap client may be ignoring the TLS_CACERT option in the ldap.conf file.
Code:
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
URI ldaps://myldap.srv/
PORT 636
BASE dc=myldap,dc=srv
TLS_CACERT /etc/ldap/cacert.pem
TLS_CERT /etc/ldap/mysrv.srv.pem
TLS_KEY /etc/ldap/mysrv.srv.key.pem
TLS_REQCERT demand
The output from -debug on openssl points at the self-signed certificate being an issue:
Code:
---
No client certificate CA names sent
---
SSL handshake has read 1543 bytes and written 367 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
Protocol : SSLv3
Cipher : AES256-SHA
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
Compression: 1 (zlib compression)
Start Time: 1335471744
Timeout : 7200 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
I don't understand why this would have been working before, and stop now. I've tried regenerating the SSL certificates pointed to in ldap.conf.
I've also checked that the certs are the same in both /etc/ldap/ldap.conf and /etc/ldap.conf:
Code:
tls_cacertfile /etc/ldap/cacert.pem
tls_cert /etc/ldap/mysrv.srv.pem
tls_key /etc/ldap/mysrv.srv.key.pem
Any pointers would be greatly appreciated.
Regards,
Rob.