Nat Sincheler wrote:
On 7/27/2016 11:19 PM, Ulrich Windl wrote:
Nat Sincheler fai1107@macrotex.net schrieb am 26.07.2016 um 17:20 in
Nachricht 991f77f9-fd05-eb9b-7f07-f350c4a7bc68@macrotex.net:
On 7/25/2016 11:24 PM, Ulrich Windl wrote:
> Nat Sincheler fai1107@macrotex.net schrieb am 25.07.2016 um 19:06 in
Nachricht c19c2a3a-3c90-5baa-43c7-800b050ea5b7@macrotex.net:
We have an OpenLDAP server that is listening on port 636 over ldaps. When I run
openssl s_client -showcerts -connect ldap-server:636
I only see the host certificate. The intermediate and root certificates do *not* come through.
If I di that on one of outr servers, I get: Root CA Intermediate CA Server Certificate
... New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit
For this server I have in the file slapd.d/cn=config.ldif the setting
olcTLSCACertificatePath: /etc/ssl/certs
Hi!
Here it works with these settings: olcTLSCACertificatePath: /etc/ssl/certs olcTLSCertificateFile: /etc/ssl/servercerts/slapd.pem olcTLSCertificateKeyFile: /etc/ssl/private/slapd.key
Could it be a permissions problem? Did you try to check the certificate
chain with openssl (preferrable as LDAP user)?
When I run the openssl s_client command I get no errors, but I also get no intermediate or root certificates sent. I see this in the output: "No client certificate CA names sent".
Hi!
To me it looks like a problem with your certificates. Try to verify them using openssl, like this: openssl verify -CApath /etc/ssl/certs -verbose /etc/ssl/servercerts/slapd.pem /etc/ssl/servercerts/slapd.pem: OK
% grep -R Certificate *.ldif
olcTLSCACertificatePath: /etc/ssl/certs olcTLSCertificateFile: /etc/ssl/certs/server.pem olcTLSCertificateKeyFile: /etc/ssl/private/server.key
% directory2:/etc/ldap# openssl verify -CApath /etc/ssl/certs -verbose /etc/ssl/certs/server.pem
/etc/ssl/certs/server.pem: OK
So, the openssl command line can find the certificate chain. Why can't openldap?
If your OpenLDAP build is not behaving the same as your OpenSSL build, then most likely your OpenLDAP was not built with OpenSSL. Otherwise, their behavior would match.
You never provided essential information such as OS platform and OpenLDAP version, so nobody can give you definitive answers.
On 7/28/2016 8:41 AM, Howard Chu wrote:
Nat Sincheler wrote:
On 7/27/2016 11:19 PM, Ulrich Windl wrote:
Nat Sincheler fai1107@macrotex.net schrieb am 26.07.2016 um 17:20 in
Nachricht 991f77f9-fd05-eb9b-7f07-f350c4a7bc68@macrotex.net:
On 7/25/2016 11:24 PM, Ulrich Windl wrote:
>> Nat Sincheler fai1107@macrotex.net schrieb am 25.07.2016 um >> 19:06 in
Nachricht c19c2a3a-3c90-5baa-43c7-800b050ea5b7@macrotex.net:
We have an OpenLDAP server that is listening on port 636 over ldaps. When I run
openssl s_client -showcerts -connect ldap-server:636
I only see the host certificate. The intermediate and root certificates do *not* come through.
If I di that on one of outr servers, I get: Root CA Intermediate CA Server Certificate
... New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit
For this server I have in the file slapd.d/cn=config.ldif the setting
olcTLSCACertificatePath: /etc/ssl/certs
Hi!
Here it works with these settings: olcTLSCACertificatePath: /etc/ssl/certs olcTLSCertificateFile: /etc/ssl/servercerts/slapd.pem olcTLSCertificateKeyFile: /etc/ssl/private/slapd.key
Could it be a permissions problem? Did you try to check the certificate
chain with openssl (preferrable as LDAP user)?
When I run the openssl s_client command I get no errors, but I also get no intermediate or root certificates sent. I see this in the output: "No client certificate CA names sent".
Hi!
To me it looks like a problem with your certificates. Try to verify them using openssl, like this: openssl verify -CApath /etc/ssl/certs -verbose /etc/ssl/servercerts/slapd.pem /etc/ssl/servercerts/slapd.pem: OK
% grep -R Certificate *.ldif
olcTLSCACertificatePath: /etc/ssl/certs olcTLSCertificateFile: /etc/ssl/certs/server.pem olcTLSCertificateKeyFile: /etc/ssl/private/server.key
% directory2:/etc/ldap# openssl verify -CApath /etc/ssl/certs -verbose /etc/ssl/certs/server.pem
/etc/ssl/certs/server.pem: OK
So, the openssl command line can find the certificate chain. Why can't openldap?
If your OpenLDAP build is not behaving the same as your OpenSSL build, then most likely your OpenLDAP was not built with OpenSSL. Otherwise, their behavior would match.
You never provided essential information such as OS platform and OpenLDAP version, so nobody can give you definitive answers.
We are using version 2.4.42 of OpenLDAP compiled on Debian jessie which use GnuTLS rather than OpenSSL.
openldap-technical@openldap.org