Re: mod_authnz_ldap and SSL

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Eric Covener wrote:

On 10/17/07, Alexander Fortin <alieno@xxxxxxxxx> wrote:

<IfModule util_ldap.c>
         LDAPTrustedGlobalCert CA_BASE64 /etc/ssl/certs/cacert.pem
         LDAPTrustedMode SSL
         LDAPVerifyServerCert off
</IfModule>


Wireshark will format the initial stages of the handshake pretty
nicely, you might see something fishy or a plaintext SSL Alert.

Can openssl handshake w/ the ldap server?  Is its cert  issued by that
cacert.pem?  Can openssl validate the cert chain when you give it that
same cacert.pem?



Yes, openssl looks fine to me. Or at least from the console:
# openssl s_client -connect myldapserver:636 -CAfile /etc/ssl/certs/cacert.pem 

CONNECTED(00000003)
---
Certificate chain
0 s:/C=AU/ST=Western Australia/L=myplace/O=mycompany Pty Ltd/OU=Internet Services/CN=myldapserver/emailAddress=my@email i:/C=AU/ST=Western Australia/L=myplace/O=mycompany Pty Ltd/OU=Internet Services/CN=Security Administration/emailAddress=my@email 1 s:/C=AU/ST=Western Australia/L=myplace/O=mycompany Pty Ltd/OU=Internet Services/CN=Security Administration/emailAddress=my@email i:/C=AU/ST=Western Australia/L=myplace/O=mycompany Pty Ltd/OU=Internet Services/CN=Security Administration/emailAddress=my@email 
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEXjCCA8egAwIBAgIBAzANBgkqhkiG9w0BAQQFADCByjELMAkGA1UEBhMCQVUx
[...]
-----END CERTIFICATE-----
subject=/C=AU/ST=Western Australia/L=myplace/O=mycompany Pty Ltd/OU=Internet services/CN=myldpaserver/emailAddress=my@email issuer=/C=AU/ST=Western Australia/L=myplace/O=mycompany Pty Ltd/OU=Internet Services/CN=Security Administration/emailAddress=my@email 
---
No client certificate CA names sent
---
SSL handshake has read 2364 bytes and written 308 bytes
---
New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DES-CBC3-SHA
Session-ID: 6BE2EE5A88866AB4D8303ECBB0BD1CA5DD905E3EC5DDBA9A3A1D0652EB3B6829 
    Session-ID-ctx:
Master-Key: 0454B3AF0B372ED6B530FA25C57DC3E34049A58125EBC99A25B674D9545BE7322D536273C654C53CE9C58DDE410A8A7C 
    Key-Arg   : None
    Start Time: 1192679978
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---


--
Alexander Fortin
IT Consultant
Informed Technology Pty Ltd
E-mail: alieno@xxxxxxxxx
Ph: 08 9460 4888  Fax: 08 9460 4877

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux