[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Quick question about OpenLDAP Server CA certificate handling

To: openldap-technical@openldap.org
Subject: Re: Quick question about OpenLDAP Server CA certificate handling
From: "A. Schulze" <sca@andreasschulze.de>
Date: Sat, 13 Apr 2019 16:48:48 +0200
Content-language: en-US
Dkim-signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=andreasschulze.de; i=@andreasschulze.de; q=dns/txt; s=ed25519; t=1555166930; h=from : subject : to : references : message-id : date : mime-version : in-reply-to : content-type : content-transfer-encoding : from; bh=q6t2qn7MAToH87Ij7MOg5mJBD+7oC5gQWMD9WtOSX28=; b=z0c1XQ5ZkU9qasCNHraW0OYmqlsAwDAqzX4kaYdm2JTTv/wPSfFtHo3q yV39enBajowJ1/WUrASvKhGL/jSfAA==
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=andreasschulze.de; s=201903-A9C5ADDF; t=1555166930; x=1560166930; bh=q6t2qn7MAToH87Ij7MOg5mJBD+7oC5gQWMD9WtOSX28=; h=From:Subject:To:References:Message-ID:Date:In-Reply-To: Content-Type:from:reply-to:subject:date:to:cc:content-type: message-id; b=F2wqIL6lIfRsDWzRRht21gfx4+MSEk+R6DwuSKzlPg/TgLHMrsX9iBKfIhPcME65t 6zudy+jW+CW5vCy6I6Wi+yOPcch7DxbQAig8pA4EIa4+PRLRgw6EIxtyOnPaz0OaUA hDoDLXUmXXY+deID8AaMeg96V1game+/RBb9OuYk7Nj9j3syAUFhD0/tGwfxn+lbzF UtPIsEVKAsczvECcxdqPEk40PobjcjDX6RakyOvbGVYd5QKaXY1uD1ClHeLojdysPk QU978zLI8ye4wqTKmW+edlvFh+hteaN3TMcoLxggsQ/PnYDDg7niEzkoIF8lWg0mt6 xLFbg24xUj1lw==
In-reply-to: <aae98896-e973-bae1-8eaa-d4a7fa6d29dd@ed.ac.uk>
References: <aae98896-e973-bae1-8eaa-d4a7fa6d29dd@ed.ac.uk>


Am 11.04.19 um 13:35 schrieb Mark Cairney:

Hello Mark,

> However based on our understanding of how SSL works we should only
> actually need the intermediate(s) in there as the client should have the
> root and then compare the intermediate provided by the server and only
> trust it if it can use this in conjunction with it's copy of the root
> certificate to complete the chain of trust.
> 
> Based on this we configure our web servers to only have the
> intermediate(s) in their chain (and in fact SSL Labs marks you down if
> you have the root in there too).
That's best practice for *any* TLS server.

have a look at https://www.openldap.org/its/index.cgi?findid=8586
With the referenced patch I can setup
 TLSCertificateFile /path/to/cert+intermediate.pem
 TLSCertificateKeyFile /path/to/privkey.pem

I have no TLSCACertificateFile at all because I don't use certificates
to authenticate ldap clients...

> Of course we do realise LDAP is not HTTP!
I think, it *is* very similar...

Andreas

Follow-Ups:
- Re: Quick question about OpenLDAP Server CA certificate handling
  - From: Mark Cairney <Mark.Cairney@ed.ac.uk>

References:
- Quick question about OpenLDAP Server CA certificate handling
  - From: Mark Cairney <Mark.Cairney@ed.ac.uk>

Prev by Date: Antw: Quick question about OpenLDAP Server CA certificate handling
Next by Date: strange regexp behaviour
Index(es):
- Chronological
- Thread