just spent a lot of time with centos 6.7 and openldap. it was configured with simple certificates and a root-ca in nice little pem files, but after an upgrade from centos 6.4, connecting to the slapd with SSL failed.
finally i saw this: moznss error -12268 and read here: http://www-archive.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html and thought about it and indeed, i could find a configuration directive which disabled sslv3 and so apparently somehow because of that 'it' ran out of ciphers or something. i gotta look into it some more. maybe someone has a recommended TLSCipherSuite directive or can confirm the centos defaults are good.
anyway...it still says this warning, as mentioned above, in the title: TLS: no unlocked certificate for certificate ''
can someone explain it ? i googled it and can't find context or a definition. it says TLS, but is it from mozilla nss certificate database ?
slapd says this when i connect to it via openssl s_client on port 636:
slapd -d stats -h 'ldap:/// ldapi:/// ldaps:/// ' -u ldap
[...]
TLS: certificate 'mycertificate' successfully loaded from moznss database.
TLS: no unlocked certificate for certificate 'OU=XXXX,O=YYY,C=ZZZ,ST=Wien,CN=somedomainname'.
560d66c7 conn=1001 fd=31 TLS established tls_ssf=256 ssf=256
(i edited the names out up there, the OU=XXX stuff is the subject of 'mycertificate')
i have a working ssl connection, but i just want to know what an unlocked certificate is in this context, and also why it says that.
any pointers greatly appreciated.
I found this message in the sourcecode openldap-2.4.39/libraries/libldap/tls_m.c The comment says "prefer unlocked key, then key from opened certdb, then any other"
My guess is that the routine is capable of unlocking a key and caching the answer. It seems to be a warning message, though, not an error.