I am using OpenLDAP 2.4.33 in Linux and it is integrated with my application. Our customer is using certifcate chain.
The certificate seem to work well with Openssl but fails when we authenticate with application.I have enabled debug statements and see it fails certificate unknown error with and I see below error:
ldap_sasl_bind_s
ldap_sasl_bind
Inside ldap_send_initial_request
Calling ldap_open_defconn
ldap_new_connection 1 1 0
Calling ldap_int_open_connection
ldap_int_open_connection
Inside ldap_connect_to_host
In HAVE_GETADDRINFO and HAVE_INET_NTOP
host =ITSUSRANADC41.na.jnj.com
proto=1
ldap_connect_to_host: TCP ITSUSRANADC41.na.jnj.com:3269
Calling ldap_int_socket
ldap_new_socket: 19
after Calling ldap_int_socket s=19
Calling ldap_int_prepare_socket
ldap_prepare_socket: 19
AF_INET
ldap_connect_to_host: Trying 10.36.108.29:3269
Calling ldap_pvt_connect
Inside ldap_pvt_connect
ldap_pvt_connect: fd: 19 tm: 10 async: 0
ldap_ndelay_on: 19
Calling ldap_int_poll
ldap_int_poll: fd: 19 tm: 10
ldap_is_sock_ready: 19
ldap_ndelay_off: 19
after Calling ldap_int_poll
ldap_pvt_connect: 0
ldap_pvt_connect: 0
After Calling ldap_pvt_connect rc=0
Calling ldap_int_connect_cbs
Inside ldap_int_connect_cbs
leaving ldap_int_connect_cbs retrun 0
After Calling ldap_int_connect_cbs err =0
SSL_CTX_load_verify_locations=1
SSL_CTX_set_default_verify_paths=1
In lo->ldo_tls_require_cert
In lo->ldo_tls_require_cert i=3
Calling SSL_CTX_set_verify
After Calling SSL_CTX_set_verify
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS trace: SSL_connect:SSLv3 process tls extension
TLS trace: SSL_connect:SSL3 post/by-pass tls extension processing
TLS trace: SSL_connect:SSLv3 read server certificate A
inside tlso_verify_cb
TLS certificate verification: depth: 0, err: 0, subject: /CN=ITSUSRANADC41.na.jnj.com, issuer: /DC=com/DC=jnj/CN=JNJ Internal Online CA A2
inside tlso_verify_cb
TLS certificate verification: depth: 1, err: 0, subject: /DC=com/DC=jnj/CN=JNJ Internal Online CA A2, issuer: /DC=COM/DC=JNJ/CN=JNJ Internal Root Certification Authority
inside tlso_verify_cb
TLS certificate verification: depth: 2, err: 0, subject: /DC=COM/DC=JNJ/CN=JNJ Internal Root Certification Authority, issuer: /DC=COM/DC=JNJ/CN=JNJ Internal Root Certification Authority
TLS trace: SSL3 alert write:fatal:certificate unknown
TLS trace: SSL_connect:error in SSL3 certificate verify A
TLS: can’t connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (ok).
After Calling ldap_int_open_connection rc = 0
LDAP_SERVER_DOWN
After calling ldap_open_defconn ,rc = -1
ldp_send_initial_request… ldap_open_defconn failed
ldap_err2string
The same certificate (pem) connects perfectly with openssl commands.
[dmfs4adm@itsusral00157 ldapdb]$ openssl s_client -CAfile /dmfs4/apps/documentum/dba/secure/ldapdb/INT-PROD-Root-Intermedia_0320.pem -connect ITSUSRANADC41.na.j nj.com:3269
CONNECTED(00000003)
depth=2 DC = COM, DC = JNJ, CN = JNJ Internal Root Certification Authority
verify return:1
depth=1 DC = com, DC = jnj, CN = JNJ Internal Online CA A2
verify return:1
depth=0 CN = ITSUSRANADC41.na.jnj.com
verify return:1
—
Certificate chain
0 s:/CN=ITSUSRANADC41.na.jnj.com
i:/DC=com/DC=jnj/CN=JNJ Internal Online CA A2
1 s:/DC=com/DC=jnj/CN=JNJ Internal Online CA A2
i:/DC=COM/DC=JNJ/CN=JNJ Internal Root Certification Authority
Server certificate
----BEGIN CERTIFICATE----
----END CERTIFICATE----
subject=/CN=ITSUSRANADC41.na.jnj.com
issuer=/DC=com/DC=jnj/CN=JNJ Internal Online CA A2
—
Acceptable client certificate CA names
/CN=ITSUSRANADC41.na.jnj.com
/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Roo t
/C=US/O=JNJ/OU=JNJ Public Key Authorities/CN=JNJ 2048bit Root Certification Auth ority
/C=US/O=JNJ/OU=JNJ Public Key Authorities/CN=JNJ Root Certification Authority
/DC=COM/DC=JNJ/CN=JNJ Internal Root Certification Authority
/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=© 2008 VeriSign, Inc. - Fo r authorized use only/CN=VeriSign Universal Root Certification Authority
/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=© 2006 VeriSign, Inc. - Fo r authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority - G2/OU =© 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network
/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Root Certific ate Authority 2011
/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Glob al Root
/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Root Certific ate Authority 2010
/O=Symantec Corporation/CN=Symantec Root CA
/OU=Copyright © 1997 Microsoft Corp./OU=Microsoft Corporation/CN=Microsoft Roo t Authority
/C=US/O=Symantec Corporation/CN=Symantec Root 2005 CA
/DC=com/DC=microsoft/CN=Microsoft Root Certificate Authority
/CN=NT AUTHORITY
—
SSL handshake has read 5700 bytes and written 619 bytes
—
New, TLSv1/SSLv3, Cipher is AES128-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : AES128-SHA256
Session-ID: 743C00003D9B50EAA53C45E670C3E9682DBE86BA873CEA5B35BFB16B7CE5A625
Session-ID-ctx:
Master-Key: 0DB1DB6C4E9B3BE57E6E3A38B3A68EACAF96A78650EA978B4A8860B35BBDCCB4 61DA777F8C0D83ED53CCFE82748D3F86
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1490103903
Timeout : 300 (sec)
Verify return code: 0 (ok)
—
The pem contains certificates JNJ Internal Root Certification Authority and CN=JNJ Internal Online CA C2 .