On 06/21/2013 07:48 AM, Rodney Simioni wrote:
Comments below.
-----Original Message-----
From: dev-tech-crypto-bounces+rodney.simioni=verio....@lists.mozilla.org
[mailto:dev-tech-crypto-bounces+rodney.simioni=verio.net@lists.mozilla.o
rg] On Behalf Of Robert Relyea
Sent: Thursday, June 20, 2013 7:16 PM
To: dev-tech-crypto@lists.mozilla.org; Elio Maldonado
Subject: Re: moznss error -8172
On 06/20/2013 02:56 PM, Rodney Simioni wrote:
I'm trying to setup LDAP/SSL/TLS. Somebody told me that PKCS is a
moznss issue and I should ask this question with you guys and not the
openssl group.
What OS are you running? I does look like you are using NSS..
[[Rod's comment]] Red Hat 6.4
TLS: certdb config: configDir='/etc/openldap/cacerts/'
tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly
TLS: cannot open certdb '/etc/openldap/cacerts/', error -8018:Unknown
PKCS #11 error.
Here it looks like it's trying to open NSS databases located in
/etc/openldap/cacerts. Since it doesn't actually fail here, I presume
that it's now falling back to something else, so I don't think this is
necessarily your problem.
[[Rod's comment]] Thanks.
TLS: loaded CA certificate file /etc/openldap/cacerts//5e5a5bcb.0 from
CA certificate directory /etc/openldap/cacerts/.
I'm guessing it using libpem here to load the openldap certificate. It
seems to indicate that this was successful.
[[Rod's comment]] Agreed.
TLS: certificate
[E=s...@stuff.com,CN=fl1-lsh99apa007.securesites.com,OU=shit,O=Verio,L
=B oca,ST=Florida,C=US] is not valid - error -8172:Peer's certificate
issuer has been marked as not trusted by the user..
TLS: error: connect - force handshake failure: errno 0 - moznss error
-8172
TLS: can't connect: TLS error -8172:Peer's certificate issuer has been
marked as not trusted by the user..
ldap_err2string
ldap_start_tls: Connect error (-11)
additional info: TLS error -8172:Peer's certificate issuer
has been marked as not trusted by the user.
This means that the given cert wasn't signed by any trusted certificate.
[[Rod's comment]] Can I sign it by using the CA I downloaded from
Geotrust?
Was your LDAP SSL server cert issued by Geotrust?
If so, what's in /etc/openldap/cacerts/53515bcb.0?
This could be because the certificate is was not found in
/etc/openldap/cacerts/53515bcb.0, or that the libpem decided not to
trust the cert found in this location.
Any help will be greatly appreciated.
I'm guessing that you are running on some version of RHEL or Fedora. Can
you say which one?
[[Rod's comment]] Red Hat 6.4
Thanks,
bob
Rod
This email message is intended for the use of the person to whom it has been
sent, and may contain information that is confidential or legally protected. If
you are not the intended recipient or have received this message in error, you
are not authorized to copy, distribute, or otherwise use this message or its
attachments. Please notify the sender immediately by return e-mail and
permanently delete this message and any attachments. Verio Inc. makes no
warranty that this email is error or virus free. Thank you.
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
