[Fedora-directory-users] solaris 10 SSL connections
George Holbert
gholbert at broadcom.com
Thu Feb 16 21:23:50 UTC 2006
>
> i've renamed cert8 to cert7, same thing. Everything goes clear text for some reason....?
yah, I wouldn't expect this to help. The file contents have more
significance than the file name, and cert8 files aren't identical to
cert7. However, I'm not sure this is the problem, since Solaris 10
might be able to use (or even require) cert8 files.
All you need in the Solaris client cert db files is the CA certificate
of the CA which signed your FDS server's certificate.
I'd suggest using the certutil command, rather than Mozilla, to generate
the cert db files.
The following recipe has worked well for me:
****|# Create new cert and key DB files.|**|
certutil -N -d /var/ldap|**
*|# Add your ascii CA certificate to the cert DB.
certutil -A -n "Susan's CA" -t "C,," -a -i ./susans-cacert.pem -d /var/ldap
# List the contents of your cert DB.
|***|certutil -L -d /var/ldap|**
Try this first using certutil as included with Solaris 10
(/usr/sfw/bin/certutil). I think this will create a cert8 file. If
cert8 doesn't seem to work, try generating a cert7 file with an older
version of the certutil command. I've found that 3.3.2 is the latest
version that will work for the Solaris 8 and 9 ldap name service client:
http://www.mozilla.org/projects/security/pki/nss/release_notes_332.html
Again, I'm not sure if the cert7/8 version problem is even an issue in
Solaris 10, but it certainly is with 8 and 9.
-- George
Susan wrote:
> --- George Holbert <gholbert at broadcom.com> wrote:
>
>
>> The ldapsearch command doesn't look in /var/ldap for the cert db. It
>> uses the current directory as the default cert db path.
>> You can run ldapsearch from /var/ldap, or give it a "-P /var/ldap"
>> argument to use the cert db in /var/ldap.
>>
>
> yea, I tried that also, same result. It just doesn't encrypt the connection.
>
>
>> Also, the -v arg might help you narrow down what's happening.
>>
>
> that doesn't add any more info.
>
>
>> by earlier versions of the NSS tools. Solaris 10 might be able to use
>> cert8.db.
>>
>
> i've renamed cert8 to cert7, same thing. Everything goes clear text for some reason....?
>
> Now, if I take this exact same command, copy/paste into a linux box (I've to append -x for simple
> auth) then voila! it all get scrambled and ethereal says "invalid LDAP header," because it can't
> parse SSL on LDAP port.
>
> So, it looks like FDS is OK but the solaris is no good here... NO IDEA why..
>
> George, do you have ssl-enabled solaris ldap auth working with FDS?
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
More information about the Fedora-directory-users
mailing list