IBM Security Verify

Has anyone got TLS to LDAP working, with Elliptic client certificate?

  • 1.  Has anyone got TLS to LDAP working, with Elliptic client certificate?

    Posted Fri October 22, 2021 10:33 AM

    I want to set up LDAP to use TLS 1.3, and I am having a few problems.

    I am running on Linux with OPENLDAP.  I can use an RSA certificate to set up the session.  That works fine.
    The problem is trying to use an elliptic certificate on the client.
    My certificate is ASN1 OID: secp521r1 (NIST CURVE: P-521) signed with Signature Algorithm: ecdsa-with-SHA512.

    Ive looked at a wireshark trace, and see
    "certificate types": [rsa_sign, dss_sign]
    which does not have the expected ecdsa_sign.
    because ECDSA is not sent down, TLS will not look for the EC certificate in my keystore.


    Has anyone got this working?
    My config has
    sslCipherSpecs GSK_V3_CIPHER_SPECS_EXPANDED
    and my environment has
    GSK_TRACE=0xff
    GSK_PROTOCOL_TLSV1_1=on
    GSK_PROTOCOL_TLSV1_2=on
    GSK_PROTOCOL_TLSV1_3=on
    GSK_V3_CIPHER_SPECS_EXPANDED=009E002FC027C013c02dc023c025130313011302
    GSK_SERVER_TLS_KEY_SHARES=0023002500290024
    GSK_CLIENT_TLS_KEY_SHARES=0023002500290024
    GSK_TLS_SIG_ALG_PAIRS=0601050104010301080608050804050304030603


    It may just be a matter of the GSK parameters not being set up properly.  Ive tried many combinations and not been successful.



    ------------------------------
    Colin Paice
    ------------------------------