I forgot to mention, that I manually set the Server Certificate as an exception in the SNOM Phone.
Here you find the log in DEBUG2-Mode (with changed servernames):
Jun 15 15:50:02.298 [DEBUG2] LDAP: LdapTpl::Socket 0: Remote Tls:192.168.210.1:636, State 7/connecting Jun 15 15:50:02.414 [DEBUG1] TLS: no session found for key: Tls::192.168.210.1:636 Jun 15 15:50:02.415 [ERROR ] TLS: OSSL error (SSL connect setup): code 336417087, error:140D513F:SSL routines:ssl3_ctrl:ssl3 ext invalid servername Jun 15 15:50:02.415 [DEBUG2] TLS: 0x1005948 handshake start Jun 15 15:50:02.415 [DEBUG2] TLS: 0x1005948 SSL_connect/0 before/connect initialization (0) Jun 15 15:50:02.416 [DEBUG2] TLS: 0x1005948 SSL_connect/0 SSLv2/v3 write client hello A (0) Jun 15 15:50:02.416 [NOTICE] TLS: new session Jun 15 15:50:02.416 [DEBUG2] LDAP: LdapTpl::Socket 0: Remote Tls:192.168.210.1:636, State 8/connected Jun 15 15:50:02.425 [DEBUG2] TLS: 0x1005948 SSL_connect/0 SSLv3 read server hello A (0) Jun 15 15:50:02.427 [ERROR ] TLS: Error 20 at depth 0: unable to get local issuer certificate Jun 15 15:50:02.427 [INFO ] TLS: Cert s: /CN=ServerDC5.Domain Jun 15 15:50:02.427 [INFO ] TLS: Cert i: /DC=DE/DC=Domain/DC=AD/CN=AD-ServerDC1-CA Jun 15 15:50:02.428 [DEBUG1] TLS: Found trusted cert, fingerprint 5b01xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxfeb Jun 15 15:50:02.429 [DEBUG1] TLS: Continue with cert due to explicit trust Jun 15 15:50:02.429 [ERROR ] TLS: Error 21 at depth 0: unable to verify the first certificate Jun 15 15:50:02.429 [INFO ] TLS: Cert s: /CN=ServerDC5.Domain Jun 15 15:50:02.429 [INFO ] TLS: Cert i: /DC=DE/DC=Domain/DC=AD/CN=AD-ServerDC1-CA Jun 15 15:50:02.430 [DEBUG1] TLS: 0x1005948 SSL Alert write/21:fatal:unknown CA Jun 15 15:50:02.430 [DEBUG2] TLS: 0x1005948 SSL_connect/21 error in error Jun 15 15:50:02.430 [DEBUG2] TLS: 0x1005948 SSL_connect/21 error in error Jun 15 15:50:02.431 [ERROR ] TLS: OSSL error (GetDecryptedInput ssl error): code 336134278, error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed Jun 15 15:50:02.431 [DEBUG2] TLS: 0x1005948 SSL_connect/21 error in error Jun 15 15:50:02.431 [ERROR ] TLS: OSSL error (GetDecryptedInput ssl error): code 336085247, error:140840FF:SSL routines:ssl3_connect:unknown state Jun 15 15:50:02.432 [DEBUG2] LDAP: LdapTpl::Socket 0: Remote Tls:192.168.210.1:636, State 10/disconnected
Hi,
Maybe the server's certificate chain is incomplete because of missed intermediate certificate.
I guess that your certificate doesn't accomplish the whole chain cycle, so you would have to configure your provisioning server certificate correctly.
best regards
snom support
Marcus Lipski
Hi,
I have a problem with my LDAP over TLS configuration.
I followed the hints in https://service.snom.com/display/wiki/TLS+Support. The phone is configured with
Also I installed the SNOM CA Cert from http://wiki.snom.com/Category:HowTo:Secure_Web_Client#Known_issues on the Windows Domain Controller in Trusted Root Certification Authorities.
Unfortunately the LDAP search doesnt work. In the log I can see the following lines:
A PCAP trace is attached.
What I am missing? A hint would be great.
Thanks a lot.
With best regards
Marcus