[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#8586) load cert+chain from TLSCertificateFile

To: openldap-its@OpenLDAP.org
Subject: (ITS#8586) load cert+chain from TLSCertificateFile
From: sca+openldap@andreasschulze.de
Date: Sat, 11 Feb 2017 19:26:59 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

Full_Name: Andreas Schulze
Version: RE24 testing call (2.4.45)
OS: Linux
URL: ftp://ftp.openldap.org/incoming/andreas-schulze-20170211.patch
Submission from: (NULL) (2001:a60:f0b4:e502:80b6:610b:8fc2:abfe)


as discussed on the technical ML it's uncommon to put chain certificates in
TLSCACertificateFile or TLSCACertificatePath. In case of a intermediate CA like
"Let's Encrypt Authority X3" it may be wrong becaus the user is forced to
/TRUST/ that intermediate for a unrelated purpose.

from https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_use_certificate.html#NOTES:

  SSL_CTX_use_certificate_chain_file() should be used instead of the
  SSL_CTX_use_certificate_file() function in order to allow the use of complete
  certificate chains even when no trusted CA storage is used or when the CA
issuing
  the certificate shall not be added to the trusted CA storage.

The patch andreas-schulze-20170211.patch only apply for openssl.

Prev by Date: Re: (ITS#8581) slapd-meta backend SSL negociation timeout
Next by Date: (ITS#8587) correct spelling errors: wrong: emtpy, correct: empty
Index(es):
- Chronological
- Thread