Re: Phantom certificates?

[Quanah Gibson-Mount <quanah@zimbra.com>]

--On May 7, 2014 at 4:15:10 PM -0400 "Andrew D. Arenson" <aarenson@iu.edu> 
wrote:

> On Wed, May 07, 2014 at 09:42:33AM +0200, Hallvard Breien Furuseth wrote:
> > On 05/06/2014 05:26 PM, Andrew D. Arenson wrote:
> > > (...) if I set
> > > TLS_CACERTDIR to /etc/openldap/certs, which has the cert8.db file, but
> > > as far as I can tell has no actuall certificates in that database, ldap
> > > search tells me, surprisingly, that the server's certificate _IS_
> > > verified.
> > >
> > >         How is openldap verifying my server's certificate?
> >
> > Maybe this is a variant of ITS#5582: Setting TLS_CACERT to any
> > certificate.pem file also tells OpenSSL to check the system's
> > standard installed certs.  OpenLDAP should have a separate
> > option for that, or the opposite - an option not to do that.
>
>   	 Thanks. I didn't find an option for turning on/off the
> use of a system's standard installed certs. Are you saying that you
> think something like that _does_ exist, or that you simply think it
> should?

RHEL uses NSS, not OpenSSL.

--Quanah


--
Quanah Gibson-Mount
Server Architect
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration