Am 30.01.2017 um 21:49 schrieb Quanah Gibson-Mount:
For this testing call, we particularly need folks to test OpenLDAP with startTLS/LDAPS when compiled against OpenSSL (both pre 1.1 series and with the 1.1 series).
Hello,
nearly a week I now run that release without any noise. It's compiled against openssl-1.1.0d and run on a ipv6 only host. but: it's a small private server, no load, no replication...
One point is worth to mention: I exposed the server also on port 443 and did a scan with ssllabs.com. While I'm pretty sure to configure certificates properly, ssllabs proof, the server deliver not only certificate and intermediate but also the root as part of the initial SSL handshake.
my TLS settings are: TLSCertificateFile /path/to/cert.pem TLSCertificateKeyFile /path/to/key.pem TLSCACertificateFile /path/to/intermediate.pem TLSCACertificatePath /path/to/an/empty/directory/ TLSProtocolMin 3.3
$ openssl x509 -noout -in /path/to/cert.pem -issuer -subject issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 subject= /CN=ldap-test.example.org
$openssl x509 -noout -in /path/to/intermediate.pem -issuer -subject issuer= /O=Digital Signature Trust Co./CN=DST Root CA X3 subject= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
a manual test using openssl s_client also proof the root is wrongly delivered: $ echo | openssl11 s_client -connect ldap-test.example.org:443 -showcerts CONNECTED(00000003) depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 verify return:1 depth=0 CN = ldap-test.example.org verify return:1 --- Certificate chain ...
Ultimate features would be OCSP stapling ( OK, no ldap client currently implement that ) and setting ecdh_curve via SSL_CTX_set1_curves_list
Andreas