Full_Name: Quanah Gibson-Mount Version: 2.4.x OS: NA URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (75.111.29.239) Both openssl and gnutls support loading CA certs from multiple directories. It would be handy to be able to do this for slapd and the ldap clients. For example, zimbra puts its CA certs in /opt/zimbra/conf/ca, but the system it is installed upon is going to have a different default destination for where its ldap clients look for CA certs. By having support for the multiple paths, the configuration can be adjusted to look in both the system location, and any number of specialized ones.
quanah@zimbra.com wrote: > Full_Name: Quanah Gibson-Mount > Version: 2.4.x > OS: NA > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (75.111.29.239) > > > Both openssl and gnutls support loading CA certs from multiple directories. It > would be handy to be able to do this for slapd and the ldap clients. For > example, zimbra puts its CA certs in /opt/zimbra/conf/ca, but the system it is > installed upon is going to have a different default destination for where its > ldap clients look for CA certs. By having support for the multiple paths, the > configuration can be adjusted to look in both the system location, and any > number of specialized ones. > In light of ITS#5582, this should probably wait until 2.5. I.e., we probably also want to require the OpenSSL default paths to be explicitly enabled when we allow multiple paths to be configured. E.g. we could allow "DEFAULT" to be a specially recognized token for enabling the default path. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
moved from Incoming to Software Enhancements
See also ITS#5582, ITS#8529, ITS#8586
changed notes
(In reply to Quanah Gibson-Mount from comment #0) > Full_Name: Quanah Gibson-Mount > Version: 2.4.x > OS: NA > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (75.111.29.239) > > > Both openssl and gnutls support loading CA certs from multiple directories. The OpenSSL docs do not support this assertion. https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_load_verify_locations.html Closing this ITS.
Should be possible via https://www.openssl.org/docs/man1.1.1/man3/X509_LOOKUP_add_dir.html Some discussion on how to do this at https://curl.se/mail/lib-2012-07/0233.html and https://curl.se/mail/lib-2012-07/0284.html
For GnuTLS, it is https://gnutls.org/manual/html_node/X509-certificate-API.html#index-gnutls_005fx509_005ftrust_005flist_005fadd_005ftrust_005fdir
Supporting this will require extra care on the part of the sysadmins. In particular, we currently send a list of the names of every CA cert that was configured, to every client, if client cert authentication is configured. It would probably be a bad idea to send the hundreds of CAs in the default cert bundle in that case. It only ever makes sense for an LDAP server to trust and advertise a very small number of CAs. In particular when client certs are used for authentication, it doesn't make sense to trust certs from anywhere other than the CA that's signing the client certs. Given the small scope of trust, it also doesn't make sense to be picking up trusted CA certs from large numbers of locations.
Added in master
(In reply to Howard Chu from comment #9) > Added in master This in particular needs testing on Windows.
Commits: • dfcaa3f0 by Howard Chu at 2021-07-22T21:07:21+01:00 ITS#6248 support multiple CAcert dirs
(In reply to Howard Chu from comment #10) > (In reply to Howard Chu from comment #9) > > Added in master > > This in particular needs testing on Windows. Never mind. The function in question, SSL_add_dir_cert_subjects_to_stack, which we previously excluded on Windows builds, has been well supported in OpenSSL since 2004. So, no problem with that particular change.
Commits: • ff0defdc by Howard Chu at 2021-07-22T23:54:25+01:00 ITS#6248 fix prev commit tlso_ca_list