--On Thursday, February 09, 2017 8:27 PM +0100 "A. Schulze" sca@andreasschulze.de wrote:

Hi Andreas,

a manual test using openssl s_client also proof the root is wrongly delivered: $ echo | openssl11 s_client -connect ldap-test.example.org:443

Please see the slapd.conf(5) or slapd.conf(5) man pages, which clearly state:

TLSCACertificateFile <filename> Specifies the file that contains certificates for all of the Certificate Authorities that slapd will recognize.

Note "That *slapd* will recognize". The server cannot and will not provide the cert chains to clients as that is a massive security risk. Clients can and must be configured with the list of CAs *they* will trust when the server provides the cert.

Ultimate features would be OCSP stapling ( OK, no ldap client currently implement that ) and setting ecdh_curve via SSL_CTX_set1_curves_list

Feel free to submit a patch to implement anything necessary beyond what was discussed in http://www.openldap.org/its/index.cgi/?findid=7506. :) Or at least file an ITS so the issue can be tracked.

Regards, Quanah

--

Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com