Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 30 Mar 2012 15:50:07 +0200
From:      "O. Hartmann" <ohartman@mail.zedat.fu-berlin.de>
To:        Current FreeBSD <freebsd-current@freebsd.org>
Subject:   SSL: wrong/broken in FreeBSD 10.0-CURRENT?
Message-ID:  <4F75BA0F.4080602@mail.zedat.fu-berlin.de>

next in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigBB0646C84D74E20CC6858829
Content-Type: text/plain; charset=ISO-8859-15
Content-Transfer-Encoding: quoted-printable

Sorry for the naiv headline.

I run into massive problems on all of my FreeBSD 10.0-CURRENT driven
boxes. PostgreSQL rejects accessing OpenLDAP via SSL and all clients
accessing the database and autheticating users via a SSL/TLS secured
conection to OpenLDAP refuse working. This includes some very important
facilities like textproc/refdb, databases/pgadmin3, www/mediawiki.

Mor scraing, I tried to generate for a our small network new SSL
certificates. We use since FreeBSD 8.0 small scripts for that task.
Creating a new CA certificate works fine, creating new certificate for
clients including based on the new CA.

Well, what worked half a year before doesn't anymore and I have no clue
what goes wrong.

I created a set of new CA, key and host certificate (self signed, of
course) for OpenLDAP.
Using the CA and key/cert from backup - created with the same conf and
scipts on FBSD 8/9 I use now on FBSD 10, goes "smooth", but fails
starting the OpenLDAP server.
The log output of the server is as follows:

  TLS: could not use key file `/usr/local/etc/openldap/certs/server.key'.=

TLS: error:0B080074:x509 certificate routines:X509_check_private_key:key
values mismatch
/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/x509/x509_cm=
p.c:406
main: TLS init def ctx failed: -1
slapd stopped.
connections_destroy: nothing to destroy.
/usr/local/etc/rc.d/slapd: WARNING: failed to start slapd


As far I can dig from the web this error code "TLS: error:0B080074:x509
certificate..." s due to mismatching CN names. But why out of the sudden
should that be wrong?

Did something significantly changed in FreeBSD 10.0-CURRENT these days?

Regards,
Oliver


--------------enigBB0646C84D74E20CC6858829
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (FreeBSD)

iQEcBAEBAgAGBQJPdbomAAoJEOgBcD7A/5N8e7UH/17hsXeQiA3f09tOqXkUDxzs
LTRdy7zY3cQWrtypbGzTwBi/RQ6wnEHik071c0R7mUcfFz4S5Jnn8BF1kLcyB4I7
oTO/Yfqpia18prF9UCs3EYeQyS7C1mDEth8NmNLQiSl1HpSkHKC70T1lu3EP5XwY
ZaDCFF7GIvlwqJN0+KF2kc5glEMnJWbyWXGObid7C9WBwwxXWlmPdtjc0IT+qYTj
0PuCWyMJr/DqFjkqM1L0rH6aUNjOrRdJqp+hibii0JdlRjAylqnXq0JX1SEC7QkB
B17f/St3DoweZO6UO2AU6OrOR1yPLnEBoTCWE9xI1WeVglKp2bcbDC1IJgl4RPg=
=oe01
-----END PGP SIGNATURE-----

--------------enigBB0646C84D74E20CC6858829--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4F75BA0F.4080602>