not able to get it to work. Things we have tried:
* removed the -ZZ option. * set TLS_CACERT to complete path and remove TLS_CACERTDIR from ldap.conf * also set above as environment variable * also tried some permutations like CACAERT equals just the filename whereas CACERTDIR equals directory containing the file
but result is the same.
ldap_url_parse_ext(ldaps://ldap.foo.com:636) ldap_create ldap_url_parse_ext(ldaps://ldap.foo.com:636/??base) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP ldap.foo.com:636 ldap_new_socket: 5 ldap_prepare_socket: 5 ldap_connect_to_host: Trying 10.67.242.198:636 ldap_pvt_connect: fd: 5 tm: -1 async: 0 tlsst_thr_init() tlsst_init() tlsst_ctx_new() = 0x7fb530006f60 tlsst_ctx_init(0x7fb530006f60) tlsst_ciphers_get((null), TLS_CIPHER_SUITE) tlsst_session_new(0x7fb530006f60) tlsst_ciphers_set(76, TLS_CIPHER_SUITE) tlsst_ctx_ref(0x7fb530006f60) tlsst_session_new(0x7fb530006f60) = 0x7fb530008ef0 tlsst_sb_setup(0x7fb530008ef0) tlsst_ctx_ref(0x7fb530006f60) tlsst_session_connect(0x7fb530008ef0) tlsst_session_handshake() tlsst_socket_write(0x7fb530008548, 145) tlsst_socket_read(0x7fb530804800, 5) tlsst_socket_read(0x7fb530804805, 93) tlsst_socket_read(0x7fb530804800, 5) tlsst_socket_read(0x7fb530804805, 778) tlsst_socket_read(0x7fb530804800, 5) tlsst_socket_read(0x7fb530804805, 147) tlsst_socket_read(0x7fb530804800, 5) tlsst_socket_read(0x7fb530804805, 270) tlsst_socket_read(0x7fb530804800, 5) tlsst_socket_read(0x7fb530804805, 4) TLS: during handshake: peer cert is valid, or was ignored if verification disabled (-9841) TLS: during handshake: Peer certificate is not trusted: kSecTrustResultRecoverableTrustFailure
and openssl s_client does work. ________________________________ From: Quanah Gibson-Mount quanah@symas.com Sent: Monday, October 5, 2020 10:24 AM To: Siddharth Jain siddjain@live.com; openldap-technical@openldap.org openldap-technical@openldap.org Subject: Re: TLS: during handshake: Peer certificate is not trusted: kSecTrustResultRecoverableTrustFailure
--On Monday, October 5, 2020 1:58 AM +0000 Siddharth Jain siddjain@live.com wrote:
is it necessary to specify both
TLS_CACERT and
TLS_CACERTDIR ?
You use one or the other. The TLS_CACERT only takes a specific file. The TLS_CACERTDIR allows the usage of a directory of multiple CA files.
16.2.2.1. TLS_CACERT <filename>
This is equivalent to the server's TLSCACertificateFile option. As noted in the TLS Configuration section, a client typically may need to know about more CAs than a server, but otherwise the same considerations apply.
16.2.2.2. TLS_CACERTDIR <path>
This is equivalent to the server's TLSCACertificatePath option. The specified directory must be managed with the OpenSSL c_rehash utility as well. If using Mozilla NSS, <path> may contain a cert/key database.
The ldap.conf file uses one set of configuration parameter names, the slapd configuration uses a different set of configuration parameter names.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com