Seems this is https://www.agwa.name/blog/post/fixing_the_addtrust_root_expiration.
Regards, Leonid.
On Wed, Jun 3, 2020 at 7:11 PM Howard Chu hyc@symas.com wrote:
Heinemann, Peter G wrote:
That's part of our puzzle. Happy to send more output if it would be helpful.
Yes, I wanted to see the entire output with debuglevel set to -1, for the connection establishment and TLS handshake. That includes the hex packet dumps of the network traffic.
The fact that it connects fine even with an expired cert implies a bug in the MozNSS cert validation functions.
ldapsearch connects fine:
connect success TLS: certdb config: configDir='/etc/openldap/certs' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly TLS: using moznss security dir /etc/openldap/certs prefix . TLS: certificate [CN=directory.upenn.edu,OU=ISC: N&T - NES - Identity and Access Management (IAM),O=University of Pennsylvania,STREET=3451 Walnut Street,L=Philadelphia,ST=PA,postalCode=19104,C=US] is valid TLS certificate verification: subject: CN=directory.upenn.edu,OU=ISC: N&T - NES - Identity and Access Management (IAM),O=University of Pennsylvania,STREET=3451 Walnut Street,L=Philadelphia,ST=PA,postalCode=19104,C=US, issuer: CN=InCommon RSA Server CA,OU=InCommon,O=Internet2,L=Ann Arbor,ST=MI,C=US, cipher: AES-256, security level: high, secret key bits: 256, total key bits: 256, cache hits: 0, cache misses: 0, cache not reusable: 0 ldap_open_defconn: successful
even when there's an expired cert in the chain:
head pd-ldap1.certs (from this command: openssl s_client -host pd-ldap1.net.isc.upenn.edu -port 636 -showcerts 2>pd-ldap1.certs >> pd-ldap1.certs)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root verify error:num=10:certificate has expired notAfter=May 30 10:48:38 2020 GMT verify return:0 DONE CTED(00000003)
Certificate chain 0 s:/C=US/postalCode=19104/ST=PA/L=Philadelphia/street=3451 Walnut Street/O=University of Pennsylvania/OU=ISC: N&T - NES - Identity and Access Management (IAM)/CN=directory.upenn.edu i:/C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA [0 phei@pi-haproxy2 ~]$ head -20 pd-ldap1.certs depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root verify error:num=10:certificate has expired notAfter=May 30 10:48:38 2020 GMT verify return:0 DONE CTED(00000003)
*From:* Howard Chu hyc@symas.com *Sent:* Wednesday, June 3, 2020 9:43 AM *To:* Heinemann, Peter G phei@isc.upenn.edu; openldap-technical@openldap.org openldap-technical@openldap.org *Subject:* Re: ssl certificate chain
phei@isc.upenn.edu wrote:
Not sure if this is an openldap issue but have to examine everything we can.
We revised our nss certificate store as part of addressing the expiration of our root cert.
It now has two certs, the end service cert and the intermediate. Basic client operations (ldapsearch) work fine; using -d1 shows that the appropriate service certificate is loaded and the the search is successful.
What is the output from ldapsearch -d -1 ?
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/