[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: RE24 testing call (2.4.45) LMDB RE0.9 testing call (0.9.20)

To: openldap-technical@openldap.org
Subject: Re: RE24 testing call (2.4.45) LMDB RE0.9 testing call (0.9.20)
From: "A. Schulze" <sca@andreasschulze.de>
Date: Thu, 9 Feb 2017 22:34:31 +0100
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=andreasschulze.de; s=ybz; t=1486676147; bh=Ny8SZArug/5teI4L7+90vGY93DeVjAzIP8i8Q8H/a+U=; h=Subject:To:References:From:Date:In-Reply-To; b=rPqiWIJyPOVO3tLruZHV1riRmwBmrdAHk33dfJeu+UGalbWSUUjExabJTYfuaZHjz b1SDg0Aj3cCK1yLaABewIToQrL+yEOlViEWm9wYg8GYdqWi1/ZR2c9hxiAiG+vgsHd AOdj2GRsW8a8UsjjUWoniGc9GTXDB8LOOMJue/kKWy+sjNiW5YHtoGE7+4EsDeV8XK yEbQRpqrSLrhRjdAdj+Hx7gkYYreXiUAsELlFHuWcZsCY4szqx/+rZaTW0w71McQpJ u2rtkDxqlLKOq2Yh2tIwQfSkXPP2h4wSzm8veGE3UvpTfBZuap9Js/U382asOgEZ9+ ve4swSOB9c5zA==
In-reply-to: <6C8C069E15ED985E4D7FDF45@[192.168.1.30]>
References: <ED38F9D4DE1C79C42B095763@[192.168.1.30]> <1dbdbf1d-8384-3ba6-ac42-99b425003f12@andreasschulze.de> <WM!77b8f73e7cb893c957580018ba19a9e397e0883c0974298e0501f9772d6b7739905db338c5886e2fec82acbb53e2096e!@mailstronghold-1.zmailcloud.com> <0EB836D4A3B56CC8A52531D7@[192.168.1.30]> <e60cb451-3206-d330-41d2-5e9185f15d33@andreasschulze.de> <WM!47d38e84b4d892a2e26265082288f51e6ce4469d2c16218e17992e142fbb76c8e5fbd203fb391060810007c005506efb!@mailstronghold-2.zmailcloud.com> <51250AC5517DB5DE4D7A7BFE@[192.168.1.30]> <WM!a05ba559f7904efc2dcaed9d669650da6c73f009cc421020d8c4e4a4d9065c57e68177a0a724b022e91d2ead74166b98!@mailstronghold-1.zmailcloud.com> <6C8C069E15ED985E4D7FDF45@[192.168.1.30]>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.1


Am 09.02.2017 um 21:52 schrieb Quanah Gibson-Mount:
> So it is not clear to me what happens if you use both. ;)  I've certainly never tried that.  Since you are using both, did you correctly "hash" the CA certs in the directory you pointed at?

that's the point: the directory is empty!
I configured cert + intermediate but never a root. Some magic default will grab it from a default location
and that's what I tried to avoid by setting "TLSCACertificatePath    /path/to/an/empty/directory/"

just removed TLSCACertificatePath from my config but that doesn't change anything.
some more tests later I now verified:

no matter if TLSCACertificatePath is set or not
if /etc/ssl/certs/ contain correctly "hashed" the certificate representing the root
it's delivered as third certificate in the SSL handshake.

/etc/ssl/certs/ is the compiled default of my openssl:

$ openssl version -d
OPENSSLDIR: "/usr/lib/ssl"

$ ls -l /usr/lib/ssl
insgesamt 4
lrwxrwxrwx 1 root root   14 Jan  8  2015 certs -> /etc/ssl/certs
drwxr-xr-x 2 root root 4096 Jan 29 21:44 misc
lrwxrwxrwx 1 root root   20 Jan 27 00:40 openssl.cnf -> /etc/ssl/openssl.cnf
lrwxrwxrwx 1 root root   16 Jan  8  2015 private -> /etc/ssl/private

So my guess: openldap not call an important openssl library function and so openssl use it's defaults.

Andreas

References:
- Re: RE24 testing call (2.4.45) LMDB RE0.9 testing call (0.9.20)
  - From: "A. Schulze" <sca@andreasschulze.de>
- Re: RE24 testing call (2.4.45) LMDB RE0.9 testing call (0.9.20)
  - From: Quanah Gibson-Mount <quanah@symas.com>
- Re: RE24 testing call (2.4.45) LMDB RE0.9 testing call (0.9.20)
  - From: "A. Schulze" <sca@andreasschulze.de>
- Re: RE24 testing call (2.4.45) LMDB RE0.9 testing call (0.9.20)
  - From: Quanah Gibson-Mount <quanah@symas.com>
- Re: RE24 testing call (2.4.45) LMDB RE0.9 testing call (0.9.20)
  - From: Quanah Gibson-Mount <quanah@symas.com>

Prev by Date: Re: RE24 testing call (2.4.45) LMDB RE0.9 testing call (0.9.20)
Next by Date: Re: RE24 testing call (2.4.45) LMDB RE0.9 testing call (0.9.20)
Index(es):
- Chronological
- Thread