On 23/12/2020 03:53, Stuart Henderson wrote:
On 2020-12-22, Kapetanakis Giannis <bil...@edu.physics.uoc.gr> wrote:
Hi,
After upgrading to 6.8-release I can no longer connect to my ldap server with
openldap and SSL/TLS.
I'm using a self signed root CA to sign LDAP server's certificate.
/etc/openldap/ldap.conf has:
TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT demand
# /usr/local/bin/ldapsearch -d9 -x (openldap client)
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 20, subject: /CN=xxx, issuer:
/CN=xxx
TLS certificate verification: Error, unable to get local issuer certificate
TLS certificate verification: depth: 1, err: 20, subject: /CN=xxx, issuer:
/CN=xxx
TLS certificate verification: Error, unable to get local issuer certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect: error:14007086:SSL routines:CONNECT_CR_CERT:certificate
verify failed (unable to get local issuer certificate).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Even setting TLS_CACERT does not fix it, only making
TLS_REQCERT never
TLS_CACERTDIR has pem certificates and links with them with hashes
ktrace does not show any reads on TLS_CACERTDIR
bbbf0019.0@ -> My_ROOT_CA.asc
My_ROOT_CA.asc@ -> My_ROOT_CA.pem
Apparently this also breaks freeradius which seems logical.
Thanks,
G
There were big changes in certificate validation in libressl a little
before 6.8 and various problems have been found with them. I added a
workaround for one issue in a -stable packages update to openldap,
some are fixed in libressl in -current, and workarounds for some
ports have been made by changing them to use openssl instead of
libressl.
Your best option is probably to run -current and report back if
there are still problems and then hopefully 6.9 will be better.
Yes, after upgrading to -current both problems where fixed (before
pkg_add -u)
thanks,
G
