6.8 openldap and SSL/TLS problem after upgrade

Kapetanakis Giannis Tue, 22 Dec 2020 06:52:59 -0800

Hi,

After upgrading to 6.8-release I can no longer connect to my ldap server with 
openldap and SSL/TLS.
I'm using a self signed root CA to sign LDAP server's certificate.


/etc/openldap/ldap.conf has:
TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT demand

# /usr/local/bin/ldapsearch -d9 -x (openldap client)
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 20, subject: /CN=xxx, issuer: 
/CN=xxx
TLS certificate verification: Error, unable to get local issuer certificate
TLS certificate verification: depth: 1, err: 20, subject: /CN=xxx, issuer: 
/CN=xxx
TLS certificate verification: Error, unable to get local issuer certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect: error:14007086:SSL routines:CONNECT_CR_CERT:certificate 
verify failed (unable to get local issuer certificate).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

Even setting TLS_CACERT does not fix it, only making 
TLS_REQCERT never

TLS_CACERTDIR has pem certificates and links with them with hashes

ktrace does not show any reads on TLS_CACERTDIR

bbbf0019.0@ -> My_ROOT_CA.asc
My_ROOT_CA.asc@ -> My_ROOT_CA.pem

Apparently this also breaks freeradius which seems logical.

Thanks,

G

6.8 openldap and SSL/TLS problem after upgrade

Reply via email to