11:35 a.m.
I'm not certain the hack redhat added to force openldap to use nss actually
causes openldap to use the nss cert store. My rhel6 openldap servers appear
to just use the PEM certs they would have used as if redhat never messed
with forcing openldap to use nss, but rather left it at openssl. I did
check and slapd is linked against the nss libs, but using the pem file in
/etc/openldap/cacerts.
The fix for this might be as simple as linking the PEM version of the
updated cert store into the directory where openldap is looking.
On Wed, Jun 3, 2020 at 11:32 AM Quanah Gibson-Mount <quanah(a)symas.com>
wrote:
--On Wednesday, June 3, 2020 8:15 PM +0300 Леонид Юрьев
<leo(a)yuriev.ru> wrote:
> Seems this is
> https://www.agwa.name/blog/post/fixing_the_addtrust_root_expiration.
Since RHEL6 is in use here, specifically see the linked tweet for
Fedora/RHEL in the above post.
Regards,
Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
--
Dale James Thompson, NWS
Radar Operations Center
IT Specialist, Configuration Management Team
1313 Halley Circle
Norman, OK 73069
Voice (405) 573-3472
Fax (405) 573-3480
Dale.J.Thompson(a)noaa.gov
11:43 a.m.
New subject: ssl certificate chain
On 6/3/20 8:35 PM, Dale Thompson - NOAA Federal wrote:
I'm not certain the hack redhat added to force openldap to use
nss
actually causes openldap to use the nss cert store. My rhel6 openldap
servers appear to just use the PEM certs they would have used as if
redhat never messed with forcing openldap to use nss, but rather left it
at openssl. I did check and slapd is linked against the nss libs, but
using the pem file in /etc/openldap/cacerts.
I vaguely remember that they have implemented a PKCS#11 module for using
PEM files as key store with libnss.
Ciao, Michael.
11:44 a.m.
New subject: ssl certificate chain
Dale Thompson - NOAA Federal wrote:
I'm not certain the hack redhat added to force openldap to use
nss actually causes openldap to use the nss cert store. My rhel6 openldap servers appear
to just
use the PEM certs they would have used as if redhat never messed with forcing openldap to
use nss, but rather left it at openssl. I did check and slapd is
linked against the nss libs, but using the pem file in /etc/openldap/cacerts.
The fix for this might be as simple as linking the PEM version of the updated cert store
into the directory where openldap is looking.
Redhat adds a custom PKCS#11 module to their NSS that lets it use PEM files. So it can use
either
their usual certificate DBs or plain PEM files.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
12:23 p.m.
New subject: ssl certificate chain
Thanks, all, for your responses. Ayer's blog entry and the twitter link it had the
root (heh) explanation we were looking for.
We did in fact import the new root cert into the nss database as a way to get the broken
applications to work. I'm going to continue to try the blacklist approach outlined in
Christian Heimes' tweet.
Howard, I kinda figured this wasn't actually an openldap issue; do you still want
the full output?
________________________________
From: Howard Chu <hyc(a)symas.com>
Sent: Wednesday, June 3, 2020 2:44 PM
To: Dale Thompson - NOAA Federal <dale.j.thompson(a)noaa.gov>;
openldap-technical(a)openldap.org <openldap-technical(a)openldap.org>
Subject: Re: ssl certificate chain
Dale Thompson - NOAA Federal wrote:
I'm not certain the hack redhat added to force openldap to use
nss actually causes openldap to use the nss cert store. My rhel6 openldap servers appear
to just
use the PEM certs they would have used as if redhat never messed with forcing openldap to
use nss, but rather left it at openssl. I did check and slapd is
linked against the nss libs, but using the pem file in /etc/openldap/cacerts.
The fix for this might be as simple as linking the PEM version of the updated cert store
into the directory where openldap is looking.
Redhat adds a custom PKCS#11 module to their NSS that lets it use PEM files. So it can use
either
their usual certificate DBs or plain PEM files.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
1280
days inactive
1281
days old
openldap-technical@openldap.org
3 comments
4 participants
participants (4)
-
Dale Thompson - NOAA Federal -
Heinemann, Peter G -
Howard Chu -
Michael Ströder