[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: RE24 testing call (2.4.45) LMDB RE0.9 testing call (0.9.20)

To: openldap-technical@openldap.org
Subject: Re: RE24 testing call (2.4.45) LMDB RE0.9 testing call (0.9.20)
From: "A. Schulze" <sca@andreasschulze.de>
Date: Thu, 9 Feb 2017 20:27:29 +0100
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=andreasschulze.de; s=ybz; t=1486668525; bh=RAvIsHT7bepTRjNAQ1OuWQK1GfSbwVymVh/9zDUEobw=; h=Subject:To:References:From:Date:In-Reply-To; b=i+ijrBecukW211bu9WEjE41E0rJYauPBzRCzLnR6AE9NXnQGgHIDIWGUOGTETWoIF VS13QXKLzACoaj2uONCAoQaAZMz8SFZnkvTAyD2FLg/IpvsAJEpN1vQBZniBp7v+1q 2KU1T1Lf0h2wljv9dDX61uMG8+9+1R9Jr/rXgbbp1Xy1d3BeZH9GQpfbbjHn+wPEit tzM+8nRdq/V0mI2A71/Pw838J3FzYqiMG96yrg3F5b3OvWe2xpdV1d5/mOoUaqEsdz UBwSZZO/t+yuPibyupriScxYbcjV/L8Cl4pob9k4W0LFK/xMAw1aagoVdIe/TwLHGU Zk3p53tBN6a3w==
In-reply-to: <ED38F9D4DE1C79C42B095763@[192.168.1.30]>
References: <ED38F9D4DE1C79C42B095763@[192.168.1.30]>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.1


Am 30.01.2017 um 21:49 schrieb Quanah Gibson-Mount:
> For this testing call, we particularly need folks to test OpenLDAP with startTLS/LDAPS when compiled against OpenSSL (both pre 1.1 series and with the 1.1 series).

Hello,

nearly a week I now run that release without any noise.
It's compiled against openssl-1.1.0d and run on a ipv6 only host.
but: it's a small private server, no load, no replication...

One point is worth to mention:
I exposed the server also on port 443 and did a scan with ssllabs.com.
While I'm pretty sure to configure certificates properly,
ssllabs proof, the server deliver not only certificate and intermediate
but also the root as part of the initial SSL handshake.

my TLS settings are:
	TLSCertificateFile      /path/to/cert.pem
	TLSCertificateKeyFile   /path/to/key.pem
	TLSCACertificateFile    /path/to/intermediate.pem
	TLSCACertificatePath    /path/to/an/empty/directory/
	TLSProtocolMin		3.3

$ openssl x509 -noout -in /path/to/cert.pem -issuer -subject
issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
subject= /CN=ldap-test.example.org

$openssl x509 -noout -in /path/to/intermediate.pem -issuer -subject
issuer= /O=Digital Signature Trust Co./CN=DST Root CA X3
subject= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

a manual test using openssl s_client also proof the root is wrongly delivered:
$ echo | openssl11 s_client -connect ldap-test.example.org:443 -showcerts
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = ldap-test.example.org
verify return:1
---
Certificate chain
...

Ultimate features would be OCSP stapling ( OK, no ldap client currently implement that )
and setting ecdh_curve via SSL_CTX_set1_curves_list

Andreas

Follow-Ups:
- Re: RE24 testing call (2.4.45) LMDB RE0.9 testing call (0.9.20)
  - From: Ryan Tandy <ryan@nardis.ca>

Prev by Date: Re: MDB_CORRUPTED: Located page was wrong type
Next by Date: Re: RE24 testing call (2.4.45) LMDB RE0.9 testing call (0.9.20)
Index(es):
- Chronological
- Thread