[Fedora-directory-users] SOLVED: NSPR "Certificate type not approved for application" error when a TLS-enabled proxy LDAP OpenLDAP server connects to Fedora Directory Server

Rich Megginson rmeggins at redhat.com
Mon Apr 14 18:08:03 UTC 2008 

Aleksander Adamowski wrote:
> Rich Megginson wrote:
>> That should be fine.  Fedora DS can do the same thing e.g. with 
>> server-to-server chaining and replication, using the server cert for 
>> client cert auth.  It just depends on the type of cert issued and/or 
>> the trust flags on the cert.
> If I understand correctly you're implying that server2server ssl 
> connections are handled with the same logic that client2server ssl?
What I meant was that the server handles any client cert based auth the 
same way, regardless of whether the "client" is a user or another server.
>
> Then it's strange, since I'm using multi-master replication with all 
> s2s connections using SSL (port 636). I've generated all the 
> certificates (for FDS servers and for OpenLDAP servers) using the same 
> OpenSSL CA openssl.cnf config file (but a slightly different 
> configuration section WRT subjectAltName field - see below).
>
> The relevant fields of the OpenLDAP server's certificate are:
>
>        X509v3 extensions:
>            X509v3 Basic Constraints:
>                CA:FALSE
>            Netscape Cert Type:
>                SSL Server
> ...
>            X509v3 Subject Alternative Name:
>                email:postmaster at MY_DOMAIN_NAME
>
> While the same fields of the FDS certificate are:
>
>        X509v3 extensions:
>            X509v3 Basic Constraints:
>                CA:FALSE
>            Netscape Cert Type:
>                SSL Server
> ...
>            X509v3 Subject Alternative Name:
>                DNS:servername2.MY_DOMAIN_NAME, 
> DNS:servername3.MY_DOMAIN_NAME
>
> Other differences are only in key length, crypto algorithms and values 
> of serial numbers, fingerprint etc.
>
> So the only one possibly relevant difference is that in OpenLDAP's 
> cert the subjectAltName field contains an e-mail address and in Fedora 
> Directory Server's it contains alternative DNS host names of the FDS 
> server. Might it be the cause?
I'm not sure how NSS handles certificate verification with 
subjectAltName.  I know that in order for the validation to work without 
subjectAltName, the leftmost RDN in the subjectDN must be cn=FQDN of the 
server e.g. cn=ldap1.example.com, ou=Fedora Directory Server, 
dc=example, dc=com

I'm also not sure if that applies to cert based auth.
>>
>>>
>>> I thought that there might be a similar method to tweak behaviour of 
>>> dirsrv (although not through nss.conf since dirsrv doesn't use 
>>> mod_nss and doesn't contain a http server in any part ), like some 
>>> undocumented setting in dse.ldif. However, more correct fix turned 
>>> out to be disallow certificate-based client authentication.
>> See the RHDS 8.0 Admin Guide, Chapter 12 - 
>> http://www.redhat.com/docs/manuals/dir-server/ag/8.0/ and 
>> http://tinyurl.com/688w9y
>>
>> See also the detailed information for all of the security/encryption 
>> configuration entries and attributes - http://tinyurl.com/35qddb - 
>> there is also an apparently undocumented entry cn=RSA, cn=encryption, 
>> cn=config.
> Yup, I've read that but there isn't anything conclusive over there. I 
> was counting on some undocumented configuration attribute that would 
> control which usages are allowed in client x.509 certs.
>
Ok.  I'm not sure what NSS is complaining about here.  If NSS is 
complaining about the hostname in the subjectDN or the subjectAltName 
doesn't match the actual server, I don't think that makes sense in the 
context of cert based auth, since a client will usually not have an 
associated FQDN.  So I believe it's complaining that the cert was not 
issued as an SSL client cert.  I do know that you can issue a cert that 
can be used for both SSL server and SSL client use.  I'm not sure if you 
can use certutil -M to modify the trust flags of a server cert after 
issuance to allow it to be used for SSL client use.  The guys at 
news.mozilla.org:mozilla.dev.tech.crypto would know for sure.

Finally, there doesn't appear to be a way in Fedora DS to allow other 
types of certificates to be used for client cert auth, or to ignore 
problems of this nature.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20080414/16166e36/attachment.bin>

More information about the Fedora-directory-users mailing list