--On Tuesday, November 2, 2021 11:38 PM +0000 "Ballem, Narayanan" Narayanan.Ballem@Staples.com wrote:
openssl s_client -connect localhost:1636 -ssl3 -quiet
depth=3 CN = XXX Root Certificate Authority
verify return:1
I am unable to reproduce this on RHEL7.
With no TLS protocol min set:
openssl s_client -connect localhost:636 -ssl3 -quiet depth=0 CN = c7rpmtest verify error:num=18:self signed certificate verify return:1 depth=0 CN = c7rpmtest verify error:num=10:certificate has expired notAfter=Aug 12 23:14:52 2020 GMT verify return:1 depth=0 CN = c7rpmtest notAfter=Aug 12 23:14:52 2020 GMT verify return:1
With TLS protocol min set to 3.2 or 3.3:
# openssl s_client -connect localhost:636 -ssl3 -quiet 140008023218064:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:659:
It appears you are modifying slapd.conf, while the default RHEL7 packages use cn=config, so modifications made to a slapd.conf file would have no effect if cn=config is in use.
As an aside I would note that OpenLDAP 2.4.54 is rather old and that the 2.4 release series is historic and no longer supported. You may wish to avail yourself of the free replacement packages for RHEL7 that are provided by Symas at https://repo.symas.com/soldap/ which are linked to a current release of OpenSSL vs the ancient RHEL7 openssl, and are also for the current supported OpenLDAP 2.6 release series. If you are insistent on using the historic unsupported OpenLDAP 2.4 release, we also have free replacement packages providing OpenLDAP 2.4.59 on RHEL7 at https://repo.symas.com/sofl/rhel7/.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com