directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joe Ammann (JIRA)" <directory-...@incubator.apache.org>
Subject [jira] Commented: (DIR-185) ldaps not working with gpg
Date Tue, 13 Jun 2006 16:37:30 GMT
    [ http://issues.apache.org/jira/browse/DIR-185?page=comments#action_12416034 ] 

Joe Ammann commented on DIR-185:
--------------------------------

If gpg is based on OpenLDAP, you might have to reduce the LDAP connection security checks
that are applied by default. To lower the checks performance by OpenLDAP library, you can
set properties in $HOME/.ldaprc

TLS_CACERT /path/to/cacert.pem
TLS_REQCERT never

ldap.conf(5) has more detailed descriptions of the options. I tested this with the GQ client,
and setting the appropriate options allowed me to connect with a LDAPS server with a self
signed certiticate


> ldaps not working with gpg
> --------------------------
>
>          Key: DIR-185
>          URL: http://issues.apache.org/jira/browse/DIR-185
>      Project: Directory
>         Type: Bug

>   Components: miscellaneous
>  Environment: cygwin gpg (GnuPG) 1.4.1
>     Reporter: Ralf Hauser
>     Assignee: Alex Karasulu

>
> when doing 
> myPc> gpg --keyserver ldaps://localhost:2636 --search micky -v
> gpg: searching for "micky -v" from ldaps server localhost
> gpgkeys: unable to retrieve LDAP base: Can't contact LDAP server
> gpg: key "micky -v" not found on keyserver
> gpg: keyserver internal error
> gpg: keyserver search failed: keyserver error
> on the server-side, I see 
> <<7594 [IoThreadPool-1] INFO org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler
- [/127.0.0.1:1808] OPENED
> 8016 [IoThreadPool-1] INFO org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler
- [/127.0.0.1:1808] CLOSED
> 8016 [IoThreadPool-1] ERROR org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler
- [/127.0.0.1:1808] EXCEPTION:
> javax.net.ssl.SSLHandshakeException: Initial SSL handshake failed.
> 	at org.apache.mina.filter.SSLFilter.messageReceived(SSLFilter.java:422)
> 	at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:494)
> 	at org.apache.mina.common.support.AbstractIoFilterChain.access$1000(AbstractIoFilterChain.java:52)
> 	at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceived(AbstractIoFilterChain.java:761)
> 	at org.apache.mina.filter.ThreadPoolFilter.processEvent(ThreadPoolFilter.java:665)
> 	at org.apache.mina.filter.ThreadPoolFilter$Worker.processEvents(ThreadPoolFilter.java:421)
> 	at org.apache.mina.filter.ThreadPoolFilter$Worker.run(ThreadPoolFilter.java:376)
> Caused by: javax.net.ssl.SSLException: Received fatal alert: unknown_ca
> 	at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:166)
> 	at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1352)
> 	at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1320)
> 	at com.sun.net.ssl.internal.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1482)
> 	at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:957)
> 	at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:782)
> 	at com.sun.net.ssl.internal.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:674)
> 	at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:566)
> 	at org.apache.mina.filter.support.SSLHandler.unwrapHandshake(SSLHandler.java:675)
> 	at org.apache.mina.filter.support.SSLHandler.handshake(SSLHandler.java:492)
> 	at org.apache.mina.filter.support.SSLHandler.messageReceived(SSLHandler.java:291)
> 	at org.apache.mina.filter.SSLFilter.messageReceived(SSLFilter.java:390)
> 	... 6 more>>
> it would be great to know what ca gpg is presenting or what other measures would make
this work...

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


Mime
View raw message