Am 09.02.2017 um 21:52 schrieb Quanah Gibson-Mount:
So it is not clear to me what happens if you use both. ;) I've certainly never tried that. Since you are using both, did you correctly "hash" the CA certs in the directory you pointed at?
that's the point: the directory is empty! I configured cert + intermediate but never a root. Some magic default will grab it from a default location and that's what I tried to avoid by setting "TLSCACertificatePath /path/to/an/empty/directory/"
just removed TLSCACertificatePath from my config but that doesn't change anything. some more tests later I now verified:
no matter if TLSCACertificatePath is set or not if /etc/ssl/certs/ contain correctly "hashed" the certificate representing the root it's delivered as third certificate in the SSL handshake.
/etc/ssl/certs/ is the compiled default of my openssl:
$ openssl version -d OPENSSLDIR: "/usr/lib/ssl"
$ ls -l /usr/lib/ssl insgesamt 4 lrwxrwxrwx 1 root root 14 Jan 8 2015 certs -> /etc/ssl/certs drwxr-xr-x 2 root root 4096 Jan 29 21:44 misc lrwxrwxrwx 1 root root 20 Jan 27 00:40 openssl.cnf -> /etc/ssl/openssl.cnf lrwxrwxrwx 1 root root 16 Jan 8 2015 private -> /etc/ssl/private
So my guess: openldap not call an important openssl library function and so openssl use it's defaults.
Andreas