httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alexander Fortin <ali...@it.net.au>
Subject Re: [users@httpd] mod_authnz_ldap and SSL
Date Thu, 18 Oct 2007 04:09:39 GMT
Eric Covener wrote:
> On 10/17/07, Alexander Fortin <alieno@it.net.au> wrote:
>> <IfModule util_ldap.c>
>>          LDAPTrustedGlobalCert CA_BASE64 /etc/ssl/certs/cacert.pem
>>          LDAPTrustedMode SSL
>>          LDAPVerifyServerCert off
>> </IfModule>
> 
> Wireshark will format the initial stages of the handshake pretty
> nicely, you might see something fishy or a plaintext SSL Alert.
> 
> Can openssl handshake w/ the ldap server?  Is its cert  issued by that
> cacert.pem?  Can openssl validate the cert chain when you give it that
> same cacert.pem?
> 

Yes, openssl looks fine to me. Or at least from the console:

# openssl s_client -connect myldapserver:636 -CAfile 
/etc/ssl/certs/cacert.pem

CONNECTED(00000003)
---
Certificate chain
  0 s:/C=AU/ST=Western Australia/L=myplace/O=mycompany Pty 
Ltd/OU=Internet Services/CN=myldapserver/emailAddress=my@email
    i:/C=AU/ST=Western Australia/L=myplace/O=mycompany Pty 
Ltd/OU=Internet Services/CN=Security Administration/emailAddress=my@email
  1 s:/C=AU/ST=Western Australia/L=myplace/O=mycompany Pty 
Ltd/OU=Internet Services/CN=Security Administration/emailAddress=my@email
    i:/C=AU/ST=Western Australia/L=myplace/O=mycompany Pty 
Ltd/OU=Internet Services/CN=Security Administration/emailAddress=my@email
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEXjCCA8egAwIBAgIBAzANBgkqhkiG9w0BAQQFADCByjELMAkGA1UEBhMCQVUx
[...]
-----END CERTIFICATE-----
subject=/C=AU/ST=Western Australia/L=myplace/O=mycompany Pty 
Ltd/OU=Internet services/CN=myldpaserver/emailAddress=my@email
issuer=/C=AU/ST=Western Australia/L=myplace/O=mycompany Pty 
Ltd/OU=Internet Services/CN=Security Administration/emailAddress=my@email
---
No client certificate CA names sent
---
SSL handshake has read 2364 bytes and written 308 bytes
---
New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
     Protocol  : TLSv1
     Cipher    : DES-CBC3-SHA
     Session-ID: 
6BE2EE5A88866AB4D8303ECBB0BD1CA5DD905E3EC5DDBA9A3A1D0652EB3B6829
     Session-ID-ctx:
     Master-Key: 
0454B3AF0B372ED6B530FA25C57DC3E34049A58125EBC99A25B674D9545BE7322D536273C654C53CE9C58DDE410A8A7C
     Key-Arg   : None
     Start Time: 1192679978
     Timeout   : 300 (sec)
     Verify return code: 0 (ok)
---


-- 
Alexander Fortin
IT Consultant
Informed Technology Pty Ltd
E-mail: alieno@it.net.au
Ph: 08 9460 4888  Fax: 08 9460 4877

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message