Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 68711200C48 for ; Thu, 6 Apr 2017 10:48:01 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 66FEB160B84; Thu, 6 Apr 2017 08:48:01 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id AC88C160B83 for ; Thu, 6 Apr 2017 10:48:00 +0200 (CEST) Received: (qmail 75925 invoked by uid 500); 6 Apr 2017 08:47:58 -0000 Mailing-List: contact dev-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Apache Directory Developers List" Delivered-To: mailing list dev@directory.apache.org Received: (qmail 75903 invoked by uid 99); 6 Apr 2017 08:47:56 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 06 Apr 2017 08:47:56 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 3C24218055C for ; Thu, 6 Apr 2017 08:47:56 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 1.473 X-Spam-Level: * X-Spam-Status: No, score=1.473 tagged_above=-999 required=6.31 tests=[DKIM_ADSP_CUSTOM_MED=0.001, NML_ADSP_CUSTOM_MED=1.2, RCVD_IN_DNSWL_LOW=-0.7, SPF_SOFTFAIL=0.972] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id GIZhUHeG3QVr for ; Thu, 6 Apr 2017 08:47:54 +0000 (UTC) Received: from zmcc-5-mx.zmailcloud.com (zmcc-5-mx.zmailcloud.com [192.198.93.228]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id 4D8CB5F24E for ; Thu, 6 Apr 2017 08:47:54 +0000 (UTC) Received: from zmcc-5-mta-1.zmailcloud.com (127.37.197.104.bc.googleusercontent.com [104.197.37.127]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by zmcc-5-mx.zmailcloud.com (Postfix) with ESMTPS id 26F9F523413 for ; Thu, 6 Apr 2017 04:47:53 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by zmcc-5-mta-1.zmailcloud.com (Postfix) with ESMTP id CB784C5B68 for ; Thu, 6 Apr 2017 03:47:52 -0500 (CDT) Received: from zmcc-5-mta-1.zmailcloud.com ([127.0.0.1]) by localhost (zmcc-5-mta-1.zmailcloud.com [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id HKQgGu920J6g for ; Thu, 6 Apr 2017 03:47:52 -0500 (CDT) Received: from localhost (localhost [127.0.0.1]) by zmcc-5-mta-1.zmailcloud.com (Postfix) with ESMTP id 624B3C5F96 for ; Thu, 6 Apr 2017 03:47:52 -0500 (CDT) X-Virus-Scanned: amavisd-new at zmcc-5-mta-1.zmailcloud.com Received: from zmcc-5-mta-1.zmailcloud.com ([127.0.0.1]) by localhost (zmcc-5-mta-1.zmailcloud.com [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id ByWxPxITtp-R for ; Thu, 6 Apr 2017 03:47:52 -0500 (CDT) Received: from MacBook-Pro.local (bsr-176-154-3-51.ft.ethernet.abo.bbox.fr [176.154.3.51]) by zmcc-5-mta-1.zmailcloud.com (Postfix) with ESMTPSA id 0B731C5B68 for ; Thu, 6 Apr 2017 03:47:51 -0500 (CDT) Subject: Re: R: R: R: how to set TLS connection with ApacheDS To: Apache Directory Developers List References: <4414c07822ca4e98b0b91dcc849ada56@ocgepvsw3102.ocr.priv> <27690_1491402173_58E4FDB9_27690_113_5_21180_1491402149_58E4FDA5_21180_18978_1_dd139924-c810-8566-19f7-528d7f335f04@gmail.com> <576385bd28754977974c130b4a75dd09@ocgepvsw3102.ocr.priv> <5119_1491410335_58E51D9B_5119_39_1_27927_1491410330_58E51D9A_27927_19253_1_14e466ce-8493-130a-9177-1181f2d21ccc@gmail.com> <1ea8eb58d8fb461a92935c4060b4ef96@ocgepvsw3102.ocr.priv> From: =?UTF-8?Q?Emmanuel_L=c3=a9charny?= Message-ID: Date: Thu, 6 Apr 2017 10:47:51 +0200 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 MIME-Version: 1.0 In-Reply-To: <1ea8eb58d8fb461a92935c4060b4ef96@ocgepvsw3102.ocr.priv> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable archived-at: Thu, 06 Apr 2017 08:48:01 -0000 Le 06/04/2017 =C3=A0 09:52, Maiorano Pasquale a =C3=A9crit : > The client certificate has been generated by means of keytool with the = following command: > At the very beggining we hve generate the keystored used by apacheDS: > keytool =E2=80=93genkey =E2=80=93keyalg =E2=80=9CRSA=E2=80=9D =E2=80=93= dname =E2=80=9Ccn=3Dlocalhost, ou=3DApacheDS, o=3DASF, c=3DUS=E2=80=9D =E2= =80=93alias dem =E2=80=93keystore =E2=80=9CC:\DEM\DEM.ks=E2=80=9D =E2=80=93= storepass secret =E2=80=93validity 730 > and then we have generated the self signed certificate: Keytool -export= =E2=80=93keystore =E2=80=9CC:\DEM\DEM.ks=E2=80=9D =E2=80=93alias dem -fi= le =E2=80=9CC:\DEM\DEM.cer=E2=80=9D > and then we have added the DEM.cer certificate to the "cacerts" trusted= store of the JVM.these are the three steps adviced on the Basic User gui= de. > Could you please take a look to the log added in my prevoius mail where= is stated all the messages produced by the client and the server during = the handsheking? This is to verify, looking the signature and the chain = messages, what is the problem. > Thank you very much for you support, but I am in trouble, because I hav= e to delivery my SW, ad I am in terrible delay. I understand. However, I'm dealing with a 1 month old baby, a day job, and many other constrainst. At teh same time, I do my best to answer questions as much as I can, considering the very little amount of time I have. Bottom line, I want to be clear that this is open source software, for which peple are working on a volunteer base, which means we don't get paid to deliver the software, although we really do our best to deliver something that *works*. Your problem is clearly a user problem, not a ApacheDS problem : we use the API in Studio, and it works pretty well when it comes to TLS, so there is clearly some misconfiguration on your side, that I *whish* to have enough time to investigate, but sadly, time that I don't always have= . When it comes to use TLS on the client side, the existing documentation, as liited as it is, can be find on http://directory.apache.org/api/user-guide/5.1-ldaps.html. The certificate pages is not yet updated, and I'm sorry for that : http://directory.apache.org/api/user-guide/5.5-certificates.html. This is something I can work on at the end of this week, as it's critical for many users, but I can't do any false promise. OTOH, it's really basic Java stuff, so I would suggest that you first try with JNDI to see what's wrong with the client side certificate. Don't get me wrong : I'm not telling you to do your homeworks, I'm just trying to depict the way we work, and why it's not perfect. This is also why we expect users to conduct their due diligence before engaging with their customer, and we always expect people using our software to be dedicated enough to report bugs, provide documentation pacthes based on user experience, tests, or even better, patches. At the end of the day, this is *YOUR* software as much as ours. --=20 Emmanuel Lecharny Symas.com directory.apache.org