0

just spent a lot of time with centos 6.7 and openldap. it was configured with simple certificates and a root-ca in nice little pem files, but after an upgrade from centos 6.4, connecting to the slapd with SSL failed.

finally i saw this: moznss error -12268 and read here: http://www-archive.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html and thought about it and indeed, i could find a configuration directive which disabled sslv3 and so apparently somehow because of that 'it' ran out of ciphers or something. i gotta look into it some more. maybe someone has a recommended TLSCipherSuite directive or can confirm the centos defaults are good.

anyway...it still says this warning, as mentioned above, in the title: TLS: no unlocked certificate for certificate ''

can someone explain it ? i googled it and can't find context or a definition. it says TLS, but is it from mozilla nss certificate database ?

slapd says this when i connect to it via openssl s_client on port 636:

slapd -d stats  -h 'ldap:/// ldapi:/// ldaps:/// '  -u ldap
[...]
TLS: certificate 'mycertificate'      successfully loaded from moznss database.
TLS: no unlocked certificate for certificate 'OU=XXXX,O=YYY,C=ZZZ,ST=Wien,CN=somedomainname'.
560d66c7 conn=1001 fd=31 TLS established tls_ssf=256 ssf=256

(i edited the names out up there, the OU=XXX stuff is the subject of 'mycertificate')

i have a working ssl connection, but i just want to know what an unlocked certificate is in this context, and also why it says that.

any pointers greatly appreciated.

frisbee23
  • 75
  • 2
  • 10

1 Answers1

3

I found this message in the sourcecode openldap-2.4.39/libraries/libldap/tls_m.c The comment says "prefer unlocked key, then key from opened certdb, then any other"

My guess is that the routine is capable of unlocking a key and caching the answer. It seems to be a warning message, though, not an error.

Andrew Daviel
  • 46
  • 1