[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#8586) load cert+chain from TLSCertificateFile
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#8586) load cert+chain from TLSCertificateFile
- From: hyc@symas.com
- Date: Mon, 13 Feb 2017 12:19:54 +0000
- Auto-submitted: auto-generated (OpenLDAP-ITS)
sca+openldap@andreasschulze.de wrote:
> Full_Name: Andreas Schulze
> Version: RE24 testing call (2.4.45)
> OS: Linux
> URL: ftp://ftp.openldap.org/incoming/andreas-schulze-20170211.patch
> Submission from: (NULL) (2001:a60:f0b4:e502:80b6:610b:8fc2:abfe)
>
> as discussed on the technical ML it's uncommon to put chain certificates in
> TLSCACertificateFile or TLSCACertificatePath.
It is explicitly documented. http://www.openldap.org/doc/admin24/tls.html
Section 16.2.1.1.
You may argue that it is uncommon for people to read the docs but that doesn't
constitute a software bug.
> In case of a intermediate CA like
> "Let's Encrypt Authority X3" it may be wrong becaus the user is forced to
> /TRUST/ that intermediate for a unrelated purpose.
That doesn't follow. The file used by slapd is only used to authenticate LDAP
clients.
There is no bug here, this ITS is invalid.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/