<DIV>hi,</DIV> <DIV> freeradis with openldap is OK when use cleartext communication.</DIV> <DIV>Now I want to use tls.</DIV> <DIV> </DIV> <DIV> openssl s_client -connect 127.0.0.1:636 -showcerts -state -CAfile /usr/local/etc/openldap/ssl/cacert.pem show the cacert /cert/key is correct.</DIV> <DIV> </DIV> <DIV> </DIV> <DIV> <STRONG>But when I use freeradis with tls, errors pup up:</STRONG></DIV> <DIV> </DIV> <DIV><STRONG>freeradius error:</STRONG></DIV> <DIV>rlm_ldap: - authorize<BR>rlm_ldap: performing user authorization for hwang<BR>radius_xlat: '(uid=hwang)'<BR>radius_xlat: 'ou=People,dc=aerohive,dc=com'<BR>rlm_ldap: ldap_get_conn: Checking Id: 0<BR>rlm_ldap: ldap_get_conn: Got Id: 0<BR>rlm_ldap: attempting LDAP reconnection<BR>rlm_ldap: (re)connect to 127.0.0.1:389, authentication 0<BR>rlm_ldap: setting TLS CACert File to
/usr/local/etc/openldap/ssl/cacert.pem<BR>rlm_ldap: setting TLS Require Cert to demand<BR>rlm_ldap: starting TLS<BR>rlm_ldap: ldap_start_tls_s()<BR>rlm_ldap: could not start TLS Connect error<BR>rlm_ldap: (re)connection attempt failed<BR>rlm_ldap: search failed<BR>rlm_ldap: ldap_release_conn: Release Id: 0</DIV> <DIV> </DIV> <DIV> </DIV> <DIV><STRONG>openldap error:</STRONG></DIV> <DIV>TLS trace: SSL_accept:SSLv3 read client hello A<BR>TLS trace: SSL_accept:SSLv3 write server hello A<BR>TLS trace: SSL_accept:SSLv3 write certificate A<BR>TLS trace: SSL_accept:SSLv3 write server done A<BR>tls_write: want=902, written=902 ......<BR>TLS trace: SSL_accept:SSLv3 flush data<BR>tls_read: want=5, got=5<BR> 0000: 15 03 01 00
02 .....<BR>tls_read: want=2, got=2<BR> 0000: 02 2a .*<BR><STRONG>TLS trace: SSL3 alert read:fatal:bad certificate<BR>TLS trace: SSL_accept:failed in SSLv3 read client certificate A<BR>TLS: can't accept.<BR>TLS: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate s3_pkt.c:1052</STRONG><BR>connection_read(11): TLS accept failure error=-1 id=5, closing<BR>connection_closing: readying conn=5 sd=11 for close<BR>connection_close: conn=5 sd=11<BR>daemon: removing
11</DIV> <DIV> </DIV> <DIV> </DIV> <DIV> <STRONG>When I use freeradius in the same host with openldap, There are other errors:</STRONG></DIV> <DIV>connection_get(10)<BR>connection_get(10): got connid=11<BR>connection_read(10): checking for input on id=11<BR>TLS trace: SSL_accept:before/accept initialization<BR>TLS trace: SSL_accept:SSLv3 read client hello A<BR>TLS trace: SSL_accept:SSLv3 write server hello A<BR>TLS trace: SSL_accept:SSLv3 write certificate A<BR>TLS trace: SSL_accept:SSLv3 write certificate request A<BR>TLS trace: SSL_accept:SSLv3 flush data<BR>TLS trace: SSL_accept:error in SSLv3 read client certificate A<BR>TLS trace: SSL_accept:error in SSLv3 read client certificate A<BR>connection_get(10)<BR>connection_get(10): got connid=11<BR>connection_read(10): checking for input on id=11<BR>TLS trace: SSL_accept:SSLv3 read client certificate A<BR>TLS trace: SSL_accept:SSLv3 read client key exchange A<BR>TLS trace: SSL_accept:SSLv3 read
finished A<BR>TLS trace: SSL_accept:SSLv3 write change cipher spec A<BR>TLS trace: SSL_accept:SSLv3 write finished A<BR>TLS trace: SSL_accept:SSLv3 flush data<BR><STRONG>connection_read(10): unable to get TLS client DN, error=49 id=11</STRONG><BR>connection_get(10)<BR>connection_get(10): got connid=11<BR>connection_read(10): checking for input on id=11<BR>ber_get_next<BR>ber_get_next: tag 0x30 len 5 contents:<BR>ber_get_next<BR>TLS trace: SSL3 alert read:warning:close notify</DIV> <DIV> </DIV> <DIV> </DIV> <DIV><STRONG>partly configuration in slapd.conf:</STRONG></DIV> <DIV>TLSCipherSuite HIGH:MEDIUM:+SSLv2<BR>TLSCACertificateFile /usr/local/etc/openldap/ssl/cacert.pem<BR>TLSCertificateFile /usr/local/etc/openldap/ssl/servercrt.pem<BR>TLSCertificateKeyFile /usr/local/etc/openldap/ssl/serverkey.pem<BR><STRONG>TLSVerifyClient try</STRONG></DIV> <DIV> </DIV> <DIV>Can anyone tell me why it is? Anything wrong with my configure file.</DIV> <DIV> </DIV>
<DIV> </DIV> <DIV> Thanks!</DIV> <DIV>John</DIV> <DIV> </DIV> <DIV> </DIV> <DIV> </DIV> <DIV> </DIV> <DIV> </DIV><p>
<hr size=1><a href="http://cn.mail.yahoo.com" target=blank>ÇÀ×¢ÑÅ»¢Ãâ·ÑÓÊÏä3.5GÈÝÁ¿£¬20M¸½¼þ£¡</a>