directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Maiorano Pasquale <>
Subject R: R: R: R: how to set TLS connection with ApacheDS
Date Thu, 06 Apr 2017 09:02:50 GMT
Thank You Emmanuel. I get tour point. I'l try to stress you as less as possible, also for your
baby that need your care. Up to now I found a workaround running the compilation with the
option\DEM\trustedDEM.ks. Now it works. It remain the incredible
problem, from my poit of view, why it does not work adding the same certificate to Cacerts.
It works if I add the same certificate to a new TrustStore and link the client to this trustStore.
Anyway I have to go on and have to face the issue related to the Passwor policy that was in
stanby up to now due to this problem. Many thanks again Emanuel e see you soon

Il presente messaggio e-mail e ogni suo allegato devono intendersi indirizzati esclusivamente
al destinatario indicato e considerarsi dal contenuto strettamente riservato e confidenziale.
Se non siete l'effettivo destinatario o avete ricevuto il messaggio e-mail per errore, siete
pregati di avvertire immediatamente il mittente e di cancellare il suddetto messaggio e ogni
suo allegato dal vostro sistema informatico. Qualsiasi utilizzo, diffusione, copia o archiviazione
del presente messaggio da parte di chi non ne è il destinatario è strettamente proibito
e può dar luogo a responsabilità di carattere civile e penale punibili ai sensi di legge.
Questa e-mail ha valore legale solo se firmata digitalmente ai sensi della normativa vigente.

The contents of this email message and any attachments are intended solely for the addressee(s)
and contain confidential and/or privileged information.
If you are not the intended recipient of this message, or if this message has been addressed
to you in error, please immediately notify the sender and then delete this message and any
attachments from your system. If you are not the intended recipient, you are hereby notified
that any use, dissemination, copying, or storage of this message or its attachments is strictly
prohibited. Unauthorized disclosure and/or use of information contained in this email message
may result in civil and criminal liability. “
This e-mail has legal value according to the applicable laws only if it is digitally signed
by the sender
-----Messaggio originale-----
Da: Emmanuel Lécharny []
Inviato: giovedì 6 aprile 2017 10:48
A: Apache Directory Developers List
Oggetto: Re: R: R: R: how to set TLS connection with ApacheDS

Le 06/04/2017 à 09:52, Maiorano Pasquale a écrit :
> The client certificate has been generated by means of keytool with the following command:
> At the very beggining we hve generate the keystored used by apacheDS:
> keytool –genkey –keyalg “RSA” –dname “cn=localhost, ou=ApacheDS,
> o=ASF, c=US” –alias dem –keystore “C:\DEM\DEM.ks” –storepass secret –validity
730 and then we have generated the self signed certificate: Keytool -export –keystore “C:\DEM\DEM.ks”
–alias dem -file “C:\DEM\DEM.cer”
> and then we have added the DEM.cer certificate to the "cacerts" trusted store of the
JVM.these are the three steps adviced on the Basic User guide.
> Could you please take a look to the log added in my prevoius mail where is stated all
the messages produced by the client and the server during the handsheking? This is to verify,
looking the signature  and the chain messages, what is the problem.
> Thank you very much for you support, but I am in trouble, because I have to delivery
my SW, ad I am in terrible delay.

I understand. However, I'm dealing with a 1 month old baby, a day job, and many other constrainst.
At teh same time, I do my best to answer questions as much as I can, considering the very
little amount of time I have.

Bottom line, I want to be clear that this is open source software, for which peple are working
on a volunteer base, which means we don't get paid to deliver the software, although we really
do our best to deliver something that *works*.

Your problem is clearly a user problem, not a ApacheDS problem : we use the API in Studio,
and it works pretty well when it comes to TLS, so there is clearly some misconfiguration on
your side, that I *whish* to have enough time to investigate, but sadly, time that I don't
always have.

When it comes to use TLS on the client side, the existing documentation, as liited as it is,
can be find on The certificate
pages is not yet updated, and I'm sorry for that : This is something I can
work on at the end of this week, as it's critical for many users, but I can't do any false
promise. OTOH, it's really basic Java stuff, so I would suggest that you first try with JNDI
to see what's wrong with the client side certificate.

Don't get me wrong : I'm not telling you to do your homeworks, I'm just trying to depict the
way we work, and why it's not perfect. This is also why we expect users to conduct their due
diligence before engaging with their customer, and we always expect people using our software
to be dedicated enough to report bugs, provide documentation pacthes based on user experience,
tests, or even better, patches.

At the end of the day, this is *YOUR* software as much as ours.

Emmanuel Lecharny

View raw message