[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: failover config: servers with same DNS address and TLS, subjectAltName extension

On Tuesday 24 July 2007 21:18, Emmanuel Dreyfus wrote:
> Howard Chu <hyc@symas.com> wrote:
> > When you run OpenLDAP's configure script you will see:
> >
> > checking OpenSSL library version (CRL checking capability)... no
> >
> > indicating that your OpenSSL library doesn't support it. Otherwise I
> > suppose you would see in your OpenSSL release notes/docs.
> Yes, I discovered HAVE_OPENSSL_CRL. The problem is that this test
> validates at mine, despite OpenSSL version (0.9.7d)
> configure:19757: checking OpenSSL library version (CRL checking
> capability)
> configure:19791: result: yes
> And then if I use TLS_CRLCHECK, LDAP operation will fail:
> ldap_bind: Can't contact LDAP server (-1)
>         additional info: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> I hope you'll agree with me that this is *very* misleading if CRL checks
> are not supposed to work with 0.9.7d.

They should work with 0.9.7d. IIRC that was the version I used when 
implementing CRL support. 
Note: As stated in the man-pages (ldap.conf(5) and slapd.conf(5)), when you 
want to use CRLs you have to specify a CACERTDIR. That directory has to be 
correctly hashed (using c_rehash).