Mark Cairney Mark.Cairney@ed.ac.uk schrieb am 11.04.2019 um 13:35 in
Nachricht aae98896-e973-bae1-8eaa-d4a7fa6d29dd@ed.ac.uk:
Hi,
Having just updated our SSL certificates on our OpenLDAP server led us to review the contents of our "bundle" file referenced in "olcTLSCACertificateFile".
According to the documentation at: https://www.openldap.org/doc/admin24/tls.html it states "This directive specifies the PEM-format file containing certificates for the CA's that slapd will trust. The certificate for the CA that signed the server certificate must be included among these certificates. If the signing CA was not a top-level (root) CA, certificates for the entire sequence of CA's from the signing CA to the top-level CA should be present. Multiple certificates are simply appended to the file; the order is not significant."
However based on our understanding of how SSL works we should only actually need the intermediate(s) in there as the client should have the root and then compare the intermediate provided by the server and only trust it if it can use this in conjunction with it's copy of the root certificate to complete the chain of trust.
With the same argumentation you could also omit the intermediate CAs (you can trust an intermediate CA as well).
Based on this we configure our web servers to only have the intermediate(s) in their chain (and in fact SSL Labs marks you down if you have the root in there too).
Of course we do realise LDAP is not HTTP!
We're running OpenLDAP 2.4.47 linked against OpenSSL on Scientific Linux 7.5.
Kind regards, Mark
-- /****************************
Mark Cairney ITI Enterprise Services Information Services University of Edinburgh
Tel: 0131 650 6565 Email: Mark.Cairney@ed.ac.uk PGP: 0x435A9621
*******************************/
The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336.