[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: RE24 testing call (2.4.45) LMDB RE0.9 testing call (0.9.20)

To: Ralf Mattes <r.mattes@mh-freiburg.de>, Quanah Gibson-Mount <quanah@symas.com>
Subject: Re: RE24 testing call (2.4.45) LMDB RE0.9 testing call (0.9.20)
From: "A. Schulze" <sca@andreasschulze.de>
Date: Thu, 9 Feb 2017 23:30:09 +0100
Cc: openldap-technical@openldap.org
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=andreasschulze.de; s=ybz; t=1486679485; bh=ff5hMKEN5Gg8TXfR4eVa2HhpJyCZnbP21ufwRzXAYQo=; h=Subject:To:References:Cc:From:Date:In-Reply-To; b=V1p6iG1A3rAwlPPX5uJKnFI4pUZhfvkOwOM0gaNwbT1iUuWsYlXP7dTZTRYYJIL4S /kN/kNid1KKK5ekDNMNisKvYJOr55cNQhyapByGc8dw8pwkJfgSrDXLFH3wzj537JC 4B/fBpOdMq7gRT5/4h2CHTA2eaUrfPhRYr5DVhi8NV0zGPFtDfmS6wuq7L2Cb7N3kB ecis9N7apIocZ02QiG68+zwYtY5iU6x8NzIY4/Hq+bUFPs0gCBveBC2uECYPkis9di Gq2bepqrKFB9TjmVy+sZle0NFndgUy6IB6pGmeKMFDZ4QIpbx9mE9MtJMacPzi4j5k sM8IvHJML0+IQ==
In-reply-to: <45bd-589ce000-219-1162cb60@192598928>
References: <45bd-589ce000-219-1162cb60@192598928>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.1

Am 09.02.2017 um 22:32 schrieb Ralf Mattes:
> Is this really the problem. I only use TLSCACertificateFile but still get all the
> intermediate certificats as well as the top level (German Telekpm) cert.

Ah!

both, TLSCACertificateFile and TLSCACertificatePath contain the acceptable issuer certificates
for connections from a client /to/ slapd if TLSVerifyClient is not "none"
Just as Quanah pointed out some messages ago...

In any case the list of DNs is sent to the client as part of the SSL handshake.

If it happen that TLSCACertificateFile and/or TLSCACertificatePath
contain certificates related to the server certificate chain,
these are also sent at all to build this cert chain.

But even if TLSCertificateFile point to file containing cert + intermediate
OpenLDAP still only the cert is delivered to the client.
(if TLSCACertificateFile and TLSCACertificatePath are unset)

I'm confused because it's different then postfix for example.

There I configure "smtpd_tls_cert_file = $cert_and_intermediates"
Optional I may enable "smtpd_tls_ask_ccert = yes"
Then the SMTP-Server ask the client to present a client cert
I've to configure smtpd_tls_CAfile or smtpd_tls_CApath.

The difference between smtpd_tls_CAfile and smtpd_tls_CApath in postfix:
( see http://www.postfix.org/postconf.5.html#smtpd_tls_CApath )
"In contrast to smtpd_tls_CAfile, DNs of Certification Authorities
installed in $smtpd_tls_CApath are not included in the client
certificate request message."

And this is what you see, Ralf ...
OpenLDAP Allways send the list of DNs.

Hope that helps.
Andreas

References:
- Re: RE24 testing call (2.4.45) LMDB RE0.9 testing call (0.9.20)
  - From: "Ralf Mattes" <r.mattes@mh-freiburg.de>

Prev by Date: Re: help troubleshooting
Next by Date: Re: RE24 testing call (2.4.45) LMDB RE0.9 testing call (0.9.20)
Index(es):
- Chronological
- Thread