Hide Forgot
Description of problem: If TLSCertificateKeyFile contains the passpharase then slapd started with out prompting to enter the pass phrase and TLS/SSL authentication not working. Version-Release number of selected component (if applicable): 2.4.23-4 How reproducible: Steps to Reproduce: 1. Generate Self singed certs with encrypted key (pass pharse) 2. Start slapd using (/etc/init.d/slapd start) 3. Actual results: [root@myhost openldap]# /etc/init.d/slapd restart Stopping slapd: [ OK ] Starting slapd: [ OK ] Expected results: [root@myhost2 ~]# /etc/init.d/slapd restart Stopping slapd: [ OK ] Starting slapd: Enter PEM pass phrase: [ OK ] Additional info: In FC13, if we use encrypted SSL key file then its ask pass pharase during start slapd. But now in FC14, service is starting with out asking pass phrase, and the result is server/client authentication broken due to TLS/SSL negotiation failure. Please verify the change.
Hello. Please, take a look at official OpenLDAP documentation for TLS: http://www.openldap.org/doc/admin24/tls.html > 16.2.1.4. TLSCertificateKeyFile <filename> > > This directive specifies the file that contains the private key that matches > the certificate stored in the TLSCertificateFile file. Private keys themselves > are sensitive data and are usually password encrypted for protection. However, > the current implementation doesn't support encrypted keys so the key must not > be encrypted and the file itself must be protected carefully. Unfortunately, this is not supported. It seems, that OpenSSL library handled the opening of password encrypted keys itself. But Mozilla NSS doesn't. (And since F14 we use Mozilla NSS instead of OpenSSL.)
Thanks Jan for the info.