[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#8586) load cert+chain from TLSCertificateFile

sca+openldap@andreasschulze.de wrote:
> Full_Name: Andreas Schulze
> Version: RE24 testing call (2.4.45)
> OS: Linux
> URL: ftp://ftp.openldap.org/incoming/andreas-schulze-20170211.patch
> Submission from: (NULL) (2001:a60:f0b4:e502:80b6:610b:8fc2:abfe)
> as discussed on the technical ML it's uncommon to put chain certificates in
> TLSCACertificateFile or TLSCACertificatePath.

It is explicitly documented. http://www.openldap.org/doc/admin24/tls.html

You may argue that it is uncommon for people to read the docs but that doesn't 
constitute a software bug.

> In case of a intermediate CA like
> "Let's Encrypt Authority X3" it may be wrong becaus the user is forced to
> /TRUST/ that intermediate for a unrelated purpose.

That doesn't follow. The file used by slapd is only used to authenticate LDAP 

There is no bug here, this ITS is invalid.

   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/