[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: RE24 testing call (2.4.45) LMDB RE0.9 testing call (0.9.20)
- To: "A. Schulze" <sca@andreasschulze.de>, openldap-technical@openldap.org
- Subject: Re: RE24 testing call (2.4.45) LMDB RE0.9 testing call (0.9.20)
- From: Quanah Gibson-Mount <quanah@symas.com>
- Date: Thu, 09 Feb 2017 11:54:56 -0800
- Content-disposition: inline
- In-reply-to: <WM!77b8f73e7cb893c957580018ba19a9e397e0883c0974298e0501f9772d6b7739905db338c5886e2fec82acbb53e2096e!@mailstronghold-1.zmailcloud.com>
- References: <ED38F9D4DE1C79C42B095763@[192.168.1.30]> <1dbdbf1d-8384-3ba6-ac42-99b425003f12@andreasschulze.de> <WM!77b8f73e7cb893c957580018ba19a9e397e0883c0974298e0501f9772d6b7739905db338c5886e2fec82acbb53e2096e!@mailstronghold-1.zmailcloud.com>
--On Thursday, February 09, 2017 8:27 PM +0100 "A. Schulze"
<sca@andreasschulze.de> wrote:
Hi Andreas,
a manual test using openssl s_client also proof the root is wrongly
delivered: $ echo | openssl11 s_client -connect ldap-test.example.org:443
Please see the slapd.conf(5) or slapd.conf(5) man pages, which clearly
state:
TLSCACertificateFile <filename>
Specifies the file that contains certificates for all of
the
Certificate Authorities that slapd will recognize.
Note "That *slapd* will recognize". The server cannot and will not provide
the cert chains to clients as that is a massive security risk. Clients can
and must be configured with the list of CAs *they* will trust when the
server provides the cert.
Ultimate features would be OCSP stapling ( OK, no ldap client currently
implement that ) and setting ecdh_curve via SSL_CTX_set1_curves_list
Feel free to submit a patch to implement anything necessary beyond what was
discussed in <http://www.openldap.org/its/index.cgi/?findid=7506>. :) Or at
least file an ITS so the issue can be tracked.
Regards,
Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>