[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#4523) Unreadable TLS CA certificates cause termination

OpenLDAP 2.2 is already Historical, bug reports against old releases 
will not be acted on.

In general the use of the CACertificatePath option is not recommended; 
it is poor security practice. In particular, we consider it a 
misconfiguration to point the SSL library at unreadable certificates. If 
you want to selectively permit your certificates, then point slapd at 
its own directory and symlink in the specific certs you want it to use. 
In general there's seldom a good reason for slapd to trust more than a 
single CA certificate.

This ITS will be closed.

howard@ece.ualberta.ca wrote:
> Full_Name: Walt Howard
> Version: 2.2.24
> OS: SuSE Ent Linux 9.3
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (
> If slapd.conf has a line
> TLSCACertificatePath /some/path/
> and any certificate file in that directory is not readable by slapd (not running
> as
> root), then slapd terminates.  In my opinion, it would be better for slapd to
> ignore
> certificate files it cannot read.  The whole issue of path to certificates and
> content
> of certificates seems to be ill-defined in the FOSS world.  OpenLDAP does a good
> job
> of making this configurable, but I still have to share the directory with less
> well-behaved applications.
> I discovered the cause by running in foreground with "-d 1023".  The error
> message
> correctly showed the directory name but listed the file as `'.

  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/