On 2020-12-22, Kapetanakis Giannis <bil...@edu.physics.uoc.gr> wrote: > Hi, > > After upgrading to 6.8-release I can no longer connect to my ldap server with > openldap and SSL/TLS. > I'm using a self signed root CA to sign LDAP server's certificate. > > /etc/openldap/ldap.conf has: > TLS_CACERTDIR /etc/openldap/cacerts > TLS_REQCERT demand > > # /usr/local/bin/ldapsearch -d9 -x (openldap client) > TLS trace: SSL_connect:SSLv3 read server hello A > TLS certificate verification: depth: 1, err: 20, subject: /CN=xxx, issuer: > /CN=xxx > TLS certificate verification: Error, unable to get local issuer certificate > TLS certificate verification: depth: 1, err: 20, subject: /CN=xxx, issuer: > /CN=xxx > TLS certificate verification: Error, unable to get local issuer certificate > TLS trace: SSL3 alert write:fatal:unknown CA > TLS trace: SSL_connect:error in SSLv3 read server certificate B > TLS: can't connect: error:14007086:SSL routines:CONNECT_CR_CERT:certificate > verify failed (unable to get local issuer certificate). > ldap_err2string > ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) > > Even setting TLS_CACERT does not fix it, only making > TLS_REQCERT never > > TLS_CACERTDIR has pem certificates and links with them with hashes > > ktrace does not show any reads on TLS_CACERTDIR > > bbbf0019.0@ -> My_ROOT_CA.asc > My_ROOT_CA.asc@ -> My_ROOT_CA.pem > > Apparently this also breaks freeradius which seems logical. > > Thanks, > > G > >
There were big changes in certificate validation in libressl a little before 6.8 and various problems have been found with them. I added a workaround for one issue in a -stable packages update to openldap, some are fixed in libressl in -current, and workarounds for some ports have been made by changing them to use openssl instead of libressl. Your best option is probably to run -current and report back if there are still problems and then hopefully 6.9 will be better.
