[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#8586) load cert+chain from TLSCertificateFile

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#8586) load cert+chain from TLSCertificateFile
From: hyc@symas.com
Date: Mon, 13 Feb 2017 12:19:54 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

sca+openldap@andreasschulze.de wrote:
> Full_Name: Andreas Schulze
> Version: RE24 testing call (2.4.45)
> OS: Linux
> URL: ftp://ftp.openldap.org/incoming/andreas-schulze-20170211.patch
> Submission from: (NULL) (2001:a60:f0b4:e502:80b6:610b:8fc2:abfe)
>
> as discussed on the technical ML it's uncommon to put chain certificates in
> TLSCACertificateFile or TLSCACertificatePath.

It is explicitly documented. http://www.openldap.org/doc/admin24/tls.html
Section 16.2.1.1.

You may argue that it is uncommon for people to read the docs but that doesn't 
constitute a software bug.

> In case of a intermediate CA like
> "Let's Encrypt Authority X3" it may be wrong becaus the user is forced to
> /TRUST/ that intermediate for a unrelated purpose.

That doesn't follow. The file used by slapd is only used to authenticate LDAP 
clients.

There is no bug here, this ITS is invalid.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Prev by Date: Re: (ITS#8335) MDB_MULTIPLE issues
Next by Date: Re: (ITS#8586) load cert+chain from TLSCertificateFile
Index(es):
- Chronological
- Thread