RUMI Szabolcs wrote:
I'm using certificates I've generated since many years with a
software having SSL support like Apache, Cyrus IMAP, Postfix, OpenVPN,
etc. and all of these are working seamlessly, with the exception of
OpenLDAP. It's not only me who's struggling, just Google around if
you don't believe me... Even the Gentoo Linux ebuild for OpenLDAP
suggests that I have to use "TLS_REQCERT never" with self-signed
certificates or else TLS won't work. And they're right.
No, they're wrong. Likewise, most of the other software you've had "working
seamlessly" is broken but most people were too ignorant of best practices to
realize it. Now that malware is so common on the web, newer browsers like
Firefox/Mozilla are finally tightening their own validity checks on
certificates as well, and refusing to connect to sites with unrecognized
certs. I.e., they're finally beginning to do what they were supposed to do all
along, and what OpenLDAP has always done.
To a proper self-signed certificate OpenLDAP simply says
certificate in certificate chain" or something like that and TLS/SSL
handshake fails with an error.
The OpenLDAP documentation tells you how to properly configure certificates.
Ignore it and you get errors. Follow it and it works securely.
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/