On Wed, Aug 09, 2017 at 07:47:06PM +0200, r0m5 wrote:
Yes so far "TLS_REQCERT allow" on the PHP applications' OS because the OpenLDAP consumers certs are still self-signed.
Indeed I saw #8385 linked in ITS#8427. From my understanding #8385 deals with certificate validation using libldap. php5-ldap depends on libldap and the versions of libldap install on our php frontends are old (jessie...).
I'm actually about to propose an update for stretch including that fix along with some others (and will update jessie-backports once it's released for stretch). I hadn't intended to backport it as far as jessie, but I have some other changes pending for jessie as well so I may as well include it.
So I will also make sure that the PHP frontends trust the CA that will sign the new LDAP consumer's certificates. I guess that should solve the STARTTLS problems from application to consumer the same way it (looks like it) solved the STARTTLS problems from consumers to providers.
Yes, it should.