directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lécharny <>
Subject Re: R: R: R: how to set TLS connection with ApacheDS
Date Thu, 06 Apr 2017 08:47:51 GMT

Le 06/04/2017 à 09:52, Maiorano Pasquale a écrit :
> The client certificate has been generated by means of keytool with the following command:
> At the very beggining we hve generate the keystored used by apacheDS:
> keytool –genkey –keyalg “RSA” –dname “cn=localhost, ou=ApacheDS, o=ASF, c=US”
–alias dem –keystore “C:\DEM\DEM.ks” –storepass secret –validity 730
> and then we have generated the self signed certificate: Keytool -export –keystore “C:\DEM\DEM.ks”
–alias dem -file “C:\DEM\DEM.cer”
> and then we have added the DEM.cer certificate to the "cacerts" trusted store of the
JVM.these are the three steps adviced on the Basic User guide.
> Could you please take a look to the log added in my prevoius mail where is stated all
the messages produced by the client and the server during the handsheking? This is to verify,
looking the signature  and the chain messages, what is the problem.
> Thank you very much for you support, but I am in trouble, because I have to delivery
my SW, ad I am in terrible delay.

I understand. However, I'm dealing with a 1 month old baby, a day job,
and many other constrainst. At teh same time, I do my best to answer
questions as much as I can, considering the very little amount of time I

Bottom line, I want to be clear that this is open source software, for
which peple are working on a volunteer base, which means we don't get
paid to deliver the software, although we really do our best to deliver
something that *works*.

Your problem is clearly a user problem, not a ApacheDS problem : we use
the API in Studio, and it works pretty well when it comes to TLS, so
there is clearly some misconfiguration on your side, that I *whish* to
have enough time to investigate, but sadly, time that I don't always have.

When it comes to use TLS on the client side, the existing documentation,
as liited as it is, can be find on The
certificate pages is not yet updated, and I'm sorry for that : This
is something I can work on at the end of this week, as it's critical for
many users, but I can't do any false promise. OTOH, it's really basic
Java stuff, so I would suggest that you first try with JNDI to see
what's wrong with the client side certificate.

Don't get me wrong : I'm not telling you to do your homeworks, I'm just
trying to depict the way we work, and why it's not perfect. This is also
why we expect users to conduct their due diligence before engaging with
their customer, and we always expect people using our software to be
dedicated enough to report bugs, provide documentation pacthes based on
user experience, tests, or even better, patches.

At the end of the day, this is *YOUR* software as much as ours.

Emmanuel Lecharny

View raw message