From owner-freebsd-current@FreeBSD.ORG Fri Mar 30 13:50:31 2012 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E8BBC106566B for ; Fri, 30 Mar 2012 13:50:31 +0000 (UTC) (envelope-from ohartman@mail.zedat.fu-berlin.de) Received: from outpost1.zedat.fu-berlin.de (outpost1.zedat.fu-berlin.de [130.133.4.66]) by mx1.freebsd.org (Postfix) with ESMTP id 9D1F58FC14 for ; Fri, 30 Mar 2012 13:50:31 +0000 (UTC) Received: from inpost2.zedat.fu-berlin.de ([130.133.4.69]) by outpost1.zedat.fu-berlin.de (Exim 4.69) for freebsd-current@freebsd.org with esmtp (envelope-from ) id <1SDcDm-0003hg-JS>; Fri, 30 Mar 2012 15:50:30 +0200 Received: from telesto.geoinf.fu-berlin.de ([130.133.86.198]) by inpost2.zedat.fu-berlin.de (Exim 4.69) for freebsd-current@freebsd.org with esmtpsa (envelope-from ) id <1SDcDm-000393-FY>; Fri, 30 Mar 2012 15:50:30 +0200 Message-ID: <4F75BA0F.4080602@mail.zedat.fu-berlin.de> Date: Fri, 30 Mar 2012 15:50:07 +0200 From: "O. Hartmann" User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:10.0.3) Gecko/20120314 Thunderbird/10.0.3 MIME-Version: 1.0 To: Current FreeBSD X-Enigmail-Version: 1.4 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigBB0646C84D74E20CC6858829" X-Originating-IP: 130.133.86.198 X-Mailman-Approved-At: Fri, 30 Mar 2012 15:26:41 +0000 Subject: SSL: wrong/broken in FreeBSD 10.0-CURRENT? X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Mar 2012 13:50:32 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigBB0646C84D74E20CC6858829 Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: quoted-printable Sorry for the naiv headline. I run into massive problems on all of my FreeBSD 10.0-CURRENT driven boxes. PostgreSQL rejects accessing OpenLDAP via SSL and all clients accessing the database and autheticating users via a SSL/TLS secured conection to OpenLDAP refuse working. This includes some very important facilities like textproc/refdb, databases/pgadmin3, www/mediawiki. Mor scraing, I tried to generate for a our small network new SSL certificates. We use since FreeBSD 8.0 small scripts for that task. Creating a new CA certificate works fine, creating new certificate for clients including based on the new CA. Well, what worked half a year before doesn't anymore and I have no clue what goes wrong. I created a set of new CA, key and host certificate (self signed, of course) for OpenLDAP. Using the CA and key/cert from backup - created with the same conf and scipts on FBSD 8/9 I use now on FBSD 10, goes "smooth", but fails starting the OpenLDAP server. The log output of the server is as follows: TLS: could not use key file `/usr/local/etc/openldap/certs/server.key'.= TLS: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch /usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/x509/x509_cm= p.c:406 main: TLS init def ctx failed: -1 slapd stopped. connections_destroy: nothing to destroy. /usr/local/etc/rc.d/slapd: WARNING: failed to start slapd As far I can dig from the web this error code "TLS: error:0B080074:x509 certificate..." s due to mismatching CN names. But why out of the sudden should that be wrong? Did something significantly changed in FreeBSD 10.0-CURRENT these days? Regards, Oliver --------------enigBB0646C84D74E20CC6858829 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) iQEcBAEBAgAGBQJPdbomAAoJEOgBcD7A/5N8e7UH/17hsXeQiA3f09tOqXkUDxzs LTRdy7zY3cQWrtypbGzTwBi/RQ6wnEHik071c0R7mUcfFz4S5Jnn8BF1kLcyB4I7 oTO/Yfqpia18prF9UCs3EYeQyS7C1mDEth8NmNLQiSl1HpSkHKC70T1lu3EP5XwY ZaDCFF7GIvlwqJN0+KF2kc5glEMnJWbyWXGObid7C9WBwwxXWlmPdtjc0IT+qYTj 0PuCWyMJr/DqFjkqM1L0rH6aUNjOrRdJqp+hibii0JdlRjAylqnXq0JX1SEC7QkB B17f/St3DoweZO6UO2AU6OrOR1yPLnEBoTCWE9xI1WeVglKp2bcbDC1IJgl4RPg= =oe01 -----END PGP SIGNATURE----- --------------enigBB0646C84D74E20CC6858829--