--On Thursday, February 09, 2017 12:49 PM -0800 Quanah Gibson-Mount quanah@symas.com wrote:
--On Thursday, February 09, 2017 9:43 PM +0100 "A. Schulze" sca@andreasschulze.de wrote:
that's not the issue. A TLS server sent it's certificate and all intermediates EXCLUDING the self signed root to the client. This is not true for my setup and I don't know why: misconfiguration or wrong ssl implementation.
Sorry, reading back over your configuration, I don't believe it's valid to specify both a CA path and a CA directory. You can use one or the other.
From the man page:
TLSCACertificatePath <path> Specifies the path of a directory that contains Certificate Authority certificates in separate individual files. Usually only one of this or the TLSCACertificateFile is used. This directive is not supported when using GnuTLS.
So it is not clear to me what happens if you use both. ;) I've certainly never tried that. Since you are using both, did you correctly "hash" the CA certs in the directory you pointed at?
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Am Donnerstag, 09. Februar 2017 21:52 CET, Quanah Gibson-Mount quanah@symas.com schrieb:
From the man page:
TLSCACertificatePath <path> Specifies the path of a directory that contains Certificate Authority certificates in separate individual files. Usually only one of this or the TLSCACertificateFile is used. This directive is not supported when using GnuTLS.
So it is not clear to me what happens if you use both. ;) I've certainly never tried that. Since you are using both, did you correctly "hash" the CA certs in the directory you pointed at?
Is this really the problem. I only use TLSCACertificateFile but still get all the intermediate certificats as well as the top level (German Telekpm) cert.
Cheers, Ralf Mattes
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Am 09.02.2017 um 22:32 schrieb Ralf Mattes:
Is this really the problem. I only use TLSCACertificateFile but still get all the intermediate certificats as well as the top level (German Telekpm) cert.
Ah!
both, TLSCACertificateFile and TLSCACertificatePath contain the acceptable issuer certificates for connections from a client /to/ slapd if TLSVerifyClient is not "none" Just as Quanah pointed out some messages ago...
In any case the list of DNs is sent to the client as part of the SSL handshake.
If it happen that TLSCACertificateFile and/or TLSCACertificatePath contain certificates related to the server certificate chain, these are also sent at all to build this cert chain.
But even if TLSCertificateFile point to file containing cert + intermediate OpenLDAP still only the cert is delivered to the client. (if TLSCACertificateFile and TLSCACertificatePath are unset)
I'm confused because it's different then postfix for example.
There I configure "smtpd_tls_cert_file = $cert_and_intermediates" Optional I may enable "smtpd_tls_ask_ccert = yes" Then the SMTP-Server ask the client to present a client cert I've to configure smtpd_tls_CAfile or smtpd_tls_CApath.
The difference between smtpd_tls_CAfile and smtpd_tls_CApath in postfix: ( see http://www.postfix.org/postconf.5.html#smtpd_tls_CApath ) "In contrast to smtpd_tls_CAfile, DNs of Certification Authorities installed in $smtpd_tls_CApath are not included in the client certificate request message."
And this is what you see, Ralf ... OpenLDAP Allways send the list of DNs.
Hope that helps. Andreas
Am 09.02.2017 um 21:52 schrieb Quanah Gibson-Mount:
So it is not clear to me what happens if you use both. ;) I've certainly never tried that. Since you are using both, did you correctly "hash" the CA certs in the directory you pointed at?
that's the point: the directory is empty! I configured cert + intermediate but never a root. Some magic default will grab it from a default location and that's what I tried to avoid by setting "TLSCACertificatePath /path/to/an/empty/directory/"
just removed TLSCACertificatePath from my config but that doesn't change anything. some more tests later I now verified:
no matter if TLSCACertificatePath is set or not if /etc/ssl/certs/ contain correctly "hashed" the certificate representing the root it's delivered as third certificate in the SSL handshake.
/etc/ssl/certs/ is the compiled default of my openssl:
$ openssl version -d OPENSSLDIR: "/usr/lib/ssl"
$ ls -l /usr/lib/ssl insgesamt 4 lrwxrwxrwx 1 root root 14 Jan 8 2015 certs -> /etc/ssl/certs drwxr-xr-x 2 root root 4096 Jan 29 21:44 misc lrwxrwxrwx 1 root root 20 Jan 27 00:40 openssl.cnf -> /etc/ssl/openssl.cnf lrwxrwxrwx 1 root root 16 Jan 8 2015 private -> /etc/ssl/private
So my guess: openldap not call an important openssl library function and so openssl use it's defaults.
Andreas
openldap-technical@openldap.org
-
A. Schulze -
Quanah Gibson-Mount -
Ralf Mattes