Re: Phantom certificates?

["Andrew D. Arenson" <aarenson@iu.edu>]

On Wed, May 07, 2014 at 09:42:33AM +0200, Hallvard Breien Furuseth wrote:
> On 05/06/2014 05:26 PM, Andrew D. Arenson wrote:
> >(...) if I set
> >TLS_CACERTDIR to /etc/openldap/certs, which has the cert8.db file, but
> >as far as I can tell has no actuall certificates in that database, ldap
> >search tells me, surprisingly, that the server's certificate _IS_ verified.
> >
> >         How is openldap verifying my server's certificate?
> 
> Maybe this is a variant of ITS#5582: Setting TLS_CACERT to any
> certificate.pem file also tells OpenSSL to check the system's
> standard installed certs.  OpenLDAP should have a separate
> option for that, or the opposite - an option not to do that.

  	 Thanks. I didn't find an option for turning on/off the
use of a system's standard installed certs. Are you saying that you
think something like that _does_ exist, or that you simply think it
should?

	 I tried moving my certs directory out of the default location
of /etc/pki/tls, but was still unable able to generate a failure to
verify the certificate when TLS_CACERTDIR was set to
/etc/openldap/certs.

Andy

-- 
Andrew D. Arenson                                      | aarenson (@) iu.edu
Advanced Biomedical IT Core, Research Technologies, UITS  | W (317) 278-1208
RT is a PTI Cyberinfrastructure & Service Center          | C (317) 679-4669
Indiana University Purdue University Indianapolis         | F (317) 278-1852