Date: Fri, 30 Mar 2012 15:50:07 +0200 From: "O. Hartmann" <ohartman@mail.zedat.fu-berlin.de> To: Current FreeBSD <freebsd-current@freebsd.org> Subject: SSL: wrong/broken in FreeBSD 10.0-CURRENT? Message-ID: <4F75BA0F.4080602@mail.zedat.fu-berlin.de>
next in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigBB0646C84D74E20CC6858829 Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: quoted-printable Sorry for the naiv headline. I run into massive problems on all of my FreeBSD 10.0-CURRENT driven boxes. PostgreSQL rejects accessing OpenLDAP via SSL and all clients accessing the database and autheticating users via a SSL/TLS secured conection to OpenLDAP refuse working. This includes some very important facilities like textproc/refdb, databases/pgadmin3, www/mediawiki. Mor scraing, I tried to generate for a our small network new SSL certificates. We use since FreeBSD 8.0 small scripts for that task. Creating a new CA certificate works fine, creating new certificate for clients including based on the new CA. Well, what worked half a year before doesn't anymore and I have no clue what goes wrong. I created a set of new CA, key and host certificate (self signed, of course) for OpenLDAP. Using the CA and key/cert from backup - created with the same conf and scipts on FBSD 8/9 I use now on FBSD 10, goes "smooth", but fails starting the OpenLDAP server. The log output of the server is as follows: TLS: could not use key file `/usr/local/etc/openldap/certs/server.key'.= TLS: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch /usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/x509/x509_cm= p.c:406 main: TLS init def ctx failed: -1 slapd stopped. connections_destroy: nothing to destroy. /usr/local/etc/rc.d/slapd: WARNING: failed to start slapd As far I can dig from the web this error code "TLS: error:0B080074:x509 certificate..." s due to mismatching CN names. But why out of the sudden should that be wrong? Did something significantly changed in FreeBSD 10.0-CURRENT these days? Regards, Oliver --------------enigBB0646C84D74E20CC6858829 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) iQEcBAEBAgAGBQJPdbomAAoJEOgBcD7A/5N8e7UH/17hsXeQiA3f09tOqXkUDxzs LTRdy7zY3cQWrtypbGzTwBi/RQ6wnEHik071c0R7mUcfFz4S5Jnn8BF1kLcyB4I7 oTO/Yfqpia18prF9UCs3EYeQyS7C1mDEth8NmNLQiSl1HpSkHKC70T1lu3EP5XwY ZaDCFF7GIvlwqJN0+KF2kc5glEMnJWbyWXGObid7C9WBwwxXWlmPdtjc0IT+qYTj 0PuCWyMJr/DqFjkqM1L0rH6aUNjOrRdJqp+hibii0JdlRjAylqnXq0JX1SEC7QkB B17f/St3DoweZO6UO2AU6OrOR1yPLnEBoTCWE9xI1WeVglKp2bcbDC1IJgl4RPg= =oe01 -----END PGP SIGNATURE----- --------------enigBB0646C84D74E20CC6858829--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4F75BA0F.4080602>