--On Thursday, February 09, 2017 8:27 PM +0100 "A. Schulze" sca@andreasschulze.de wrote:
Hi Andreas,
a manual test using openssl s_client also proof the root is wrongly delivered: $ echo | openssl11 s_client -connect ldap-test.example.org:443
Please see the slapd.conf(5) or slapd.conf(5) man pages, which clearly state:
TLSCACertificateFile <filename> Specifies the file that contains certificates for all of the Certificate Authorities that slapd will recognize.
Note "That *slapd* will recognize". The server cannot and will not provide the cert chains to clients as that is a massive security risk. Clients can and must be configured with the list of CAs *they* will trust when the server provides the cert.
Ultimate features would be OCSP stapling ( OK, no ldap client currently implement that ) and setting ecdh_curve via SSL_CTX_set1_curves_list
Feel free to submit a patch to implement anything necessary beyond what was discussed in http://www.openldap.org/its/index.cgi/?findid=7506. :) Or at least file an ITS so the issue can be tracked.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com