Hello, I am trying to connect to an OpenLDAP server from Roundcube using SSL. However, the SSL connection is never properly initialized due to error 81 from the LDAP server. If I try
openssl s_client -connect ldap.example.com:636 -showcerts -state -ssl3 -CAfile cacerts.pem
then creating SSL connection works just fine (verify return code is 0). In this case the server certificate is self-signed and is included in cacerts.pem.
I wonder if there is any mechanism in Roundcube or PHP to deal with self-signed server certificates when using LDAP->connect/bind? I would expect a way to introduce server certificates of trusted peer servers (such as the LDAP server above). How can this be done in Roundcube? If this is a PHP/Apache-level issue, then please let me know.
WBR, --jari
On Jul 10, 2006, at 6:24 AM, Jari Majander wrote:
Hello, I am trying to connect to an OpenLDAP server from Roundcube using SSL. However, the SSL connection is never properly initialized due to
error 81 from the LDAP server. If I tryopenssl s_client -connect ldap.example.com:636 -showcerts -state -ssl3 -CAfile cacerts.pem
This doesn't sound like a roundcube issue. What you probably need to
do is import the self signed cert/ca into your ca-bundle. This file
lists all the trusted sources for certs. If the cert cant be trusted,
the connection shouldn't be opened, thus you have the failure mode
you describe.
In the above example you're specifying a CAfile, if you don't do that
you'll see that openssl doesn't consider your self signed cert valid.
Depending on operating system you'll need to figure out where your
list of trusted certs is kept and append the PEM format of your CA to
it. Then, you should be able to connect via openssl without
specifying a CAfile and the php ldap bind should work. Backup files
before changing them :)
-- J.
On 7/11/06, Jason Stelzer cynic@elitistbastard.com wrote:
Depending on operating system you'll need to figure out where your list of trusted certs is kept and append the PEM format of your CA to it.
That's exactly what my question is about. I'm using Apache 2 on Ubuntu and Red Hat. I assumed PHP relies on Apache 2 for management of trusted peers (does it?). In mods-available/ssl.conf I have the following directive
SSLCACertificateFile /etc/apache2/ssl/cacerts.pem
This directive is visible also via symbolic link from mods-enabled. However, appending the OpenLDAP server's self-signed certificate in PEM format in cacerts.pem didn't work, whereas openssl s_client with the same cert file works just fine.
If I tethereal port 636 in my OpenLDAP server, then TLS handshaking looks fine as far as I can tell... I need more time to investigate the matter. Anyway, thanks for your replies.
-- jari
-
Jari Majander -
Jason Stelzer