[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
(ITS#5582) Default OpenSSL certs are only used when TLS_CACERT(DIR)
Full_Name: Hallvard B Furuseth
Version: HEAD, 2.3, 2.4
OS: Linux
URL: ftp://ftp.openldap.org/incoming/Hallvard-Furuseth-080627.diff
Submission from: (NULL) (129.240.6.233)
Submitted by: hallvard
OpenLDAP only uses the default certificates installed with OpenSSL if
TLS_CACERT or TLS_CACERTDIR is set. Or presumably
TLSCACertificate<File/Dir> in servers, but the libldap/tls.c code for
servers seem to require a certificate chain from that directory anyway.
To reproduce:
$ export LDAPCONF=/dev/null
$ ldapwhoami -xZZh ldap.uio.no
certificate verify failed
$ export LDAPTLS_CACERT="*any* certificate.pem file"
$ ldapwhoami -xZZh ldap.uio.no
anonymous
Or if it still fails, find where OpenSSL wants its default certs:
strace ldapwhoami -xZZh ldap.uio.no 2>&1 | grep ssl
and temporarily append the root cert which signed our server cert from
https://secure.globalsign.net/cacert/CT_Root_CA.pem
Then try again. Something like /usr/local/ssl/cert.pem.
$ ldapwhoami -xZZh ldap.uio.no
anonymous
$ unset LDAPTLS_CACERT; ldapwhoami -xZZh ldap.uio.no
certificate verify failed
The relevant code is in libldap/tls.c:ldap_int_tls_init_ctx().
I enclose a tentative patch which fixes the above problem, but
I'm not sure it's the right one for servers and GnuTLS.
The GnuTLS branch does not require a server TLSCACertificateFile,
but the OpenSSL code does. I don't know if GnuTLS has a default
which is used instead, nor if OpenSSL can have that.