[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Syncrepl can't start ssl session because of refused 'client' certificate


Le 11/07/2011 22:24, Howard Chu a écrit :
Thibault Le Meur wrote:
Le 11/07/2011 18:29, Rich Megginson a écrit : Not necessarily. When linked to openssl, openldap used to use the
/etc/openldap/ldap.conf file to read the client-side SSL configuration.

   Please open an ITS for this.  I'll have to figure out how this was
working in openssl.
Done: ITS#6994

Sounds to me like there's no bug here and the ITS report is invalid. If you want separate TLS settings for syncrepl you must put them in the syncrepl directive.

Indeed, there is a new set of TLS parameters that can be given to the syncrepl processes. However, even when defining the tls_cacert="/etc/ssl/cacerts/cacert.pem" parameter syncrepl fails to connect to ldaps:// providers because it still inherits the "client certs" from the main context. There is no tls_forget_previous_tls_context parameter so that unless I try to overwrite the tls_cert and tls_key parameter (something I don't want to do in my particular setup) I can't get rid of the global TLS context.