Menu
▾
▴
Re: FW: Net::LDAPS and verifying the CA certificate
|
From: Chris R. <chr...@me...> - 2001-06-21 09:35:50
|
Christian Gilmore <cgi...@ti...> wrote: > [ Sorry for the initial, icomplete post ] > > I've successfully queried an SSL-enabled LDAPv3 service with Net::LDAPS, > but the software continually dies when I attempt to verify the CA > certificate. I have followed the instructions for creating the hash-valued > symlink to the CA cert file. > > lrwxrwxrwx ce23b666.0 -> equifaxca2.crt > -r--r--r-- equifaxca2.crt > > tomcat% more ce23b666.0 > -----BEGIN CERTIFICATE----- > MIIC8DCCAlmgAwIBAgIBEDANBgkqhkiG9w0BAQQFADCBxDELMAkGA1UEBhMCWkEx > FTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMR0wGwYD > VQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UECxMfQ2VydGlmaWNhdGlv > biBTZXJ2aWNlcyBEaXZpc2lvbjEZMBcGA1UEAxMQVGhhd3RlIFNlcnZlciBDQTEm > MCQGCSqGSIb3DQEJARYXc2VydmVyLWNlcnRzQHRoYXd0ZS5jb20wHhcNOTkwNTI1 > MDMwMDAwWhcNMDIwNjEwMDMwMDAwWjBTMQswCQYDVQQGEwJVUzEbMBkGA1UEChMS > RXF1aWZheCBTZWN1cmUgSW5jMScwJQYDVQQDEx5FcXVpZmF4IFNlY3VyZSBFLUJ1 > c2luZXNzIENBLTIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMYna8GjS9mG > q4Cb8L0VwDBMZ+ztPI05urQb8F0t1Dp4I3gOFUs2WZJJv9Y1zCFwQbQbfJuBuXmZ > QKIZJOw3jwPbfcvoTyqQhM0Yyb1YzgM2ghuv8Zz/+LYrjBo2yrmf86zvMhDVOD7z > dhDzyTxCh5F6+K6Mcmmar+ncFMmIum2bAgMBAAGjYjBgMBIGA1UdEwEB/wQIMAYB > Af8CAQAwSgYDVR0lBEMwQQYIKwYBBQUHAwEGCCsGAQUFBwMDBgorBgEEAYI3CgMD > BglghkgBhvhCBAEGCCsGAQUFBwMIBgorBgEEAYI3CgMCMA0GCSqGSIb3DQEBBAUA > A4GBALIfbC0RQ9g4Zxf/Y8IA2jWm8Tt+jvFWPt5wT3n5k0orRAvbmTROVPHGSLw7 > oMNeapH1eRG5yn+erwqYazcoFXJ6AsIC5WUjAnClsSrHBCAnEn6rDU080F38xIQ3 > j1FBvwMOxAq/JR5eZZcBHlSpJad88Twfd7E+0fQcqgk+nnjH > -----END CERTIFICATE----- > > I get the following information back regarding the certificates returned: > > Cipher used: DES-CBC3-SHA > Subject DN: /C=US/ST=Colorado/L=Boulder/OU=IBM Global > Services/O=IBM/CN=bluepages.ibm.com > Issuer Name: /C=US/O=Equifax Secure Inc/CN=Equifax Secure E-Business CA-2 > > This information matches the CA's certificate information. As soon as I > attempt to change the ldap object's verify status from none to require, > the software dies during connection establishment. Has anyone had a > similar problem? If so, how did you resolve it? > > perl-5.6.1 > perl-ldap-0.23 > IO-Socket-SSL-0.79 > Crypt-SSLeay-0.27 > Net_SSLeay-1.07 > > Regards, > Christian What is in the 'die' message? The IO::Socket::SSL interface changed a little bit a while ago, it is possible that I need to update the Net::LDAPS documentation to match. IIRC, the problem is that you *have* to set cafile and capath otherwise you get some useless default behaviour. Since you only usually want to set one of cafile or capath, I think you have to simply set the other one to an empty string. (It looks like you're using capath, so set cafile to '') So, please check that. Are you connecting to the right host, ie bluepages.ibm.com? I can't remember if OpenSSL checks that itself. Otherwise, can you try and make sure that there's no underlying OpenSSL problem? Use the OpenSSL s_client program and attempt to connect to your directory. The -verify, -state and -debug options are useful. (It doesn't matter that s_client doesn't understand LDAP, you're just trying to test the SSL handshake.) Cheers, Chris |
