Re: Phantom certificates?

["Andrew D. Arenson" <aarenson@iu.edu>]

On Wed, May 07, 2014 at 02:22:07PM -0700, Quanah Gibson-Mount wrote:
> 
> 
> --On May 7, 2014 at 4:14:36 PM -0400 "Andrew D. Arenson"
> <aarenson@iu.edu> wrote:
> 
> >On Tue, May 06, 2014 at 09:45:17PM -0700, Quanah Gibson-Mount wrote:
> >>
> >>
> >>--On May 6, 2014 at 11:26:47 AM -0400 "Andrew D. Arenson"
> >><aarenson@iu.edu> wrote:
> >>
> >>>	I am trying to understand how a ldap server's certificate is
> >>> being verified in the absence of the appropriate CA certificates.  I
> >>> have openldap 2.4.23-34 installed.
> >>
> >>So I'm guessing you are using RHEL's utterly broken packages for
> >>OpenLDAP. I would advise you to get a real, functioning OpenLDAP
> >>build, or build OpenLDAP yourself.  You can obtain functional builds
> >>from Symas or the LTB project.
> >
> >        It is, indeed, RHEL. Have you got a pointer to info about how
> >they are broken?
> 
> They link to a non-standard SSL implementation they linked in
> themselves, for one, that has serious issues (You can search on that
> if you like)
> They ship 2.4.23 which is *years* out of date and has many numerous
> bugs fixed since then (See the change log on the OpenLDAP website)
> 
> It should never be used for a production installation.

     	    Thank you. 

	    The change log shows that 2.4.23 is from the middle of 2010. Ugh.

	    I see that RHEL links to something called NSS.  If you
have handy links to documentation/info about the problems with NSS, I
would love to see them. I'll be looking, but if you already know where
to look, I'd certainly appreciate it.

Andy

-- 
Andrew D. Arenson                                      | aarenson (@) iu.edu
Advanced Biomedical IT Core, Research Technologies, UITS  | W (317) 278-1208
RT is a PTI Cyberinfrastructure & Service Center          | C (317) 679-4669
Indiana University Purdue University Indianapolis         | F (317) 278-1852