--On Tuesday, November 2, 2021 11:38 PM +0000 "Ballem, Narayanan"
<[email protected]> wrote:
openssl s_client -connect localhost:1636 -ssl3 -quiet
depth=3 CN = XXX Root Certificate Authority
verify return:1
I am unable to reproduce this on RHEL7.
With no TLS protocol min set:
openssl s_client -connect localhost:636 -ssl3 -quiet
depth=0 CN = c7rpmtest
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = c7rpmtest
verify error:num=10:certificate has expired
notAfter=Aug 12 23:14:52 2020 GMT
verify return:1
depth=0 CN = c7rpmtest
notAfter=Aug 12 23:14:52 2020 GMT
verify return:1
With TLS protocol min set to 3.2 or 3.3:
# openssl s_client -connect localhost:636 -ssl3 -quiet
140008023218064:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake
failure:s3_pkt.c:659:
It appears you are modifying slapd.conf, while the default RHEL7 packages
use cn=config, so modifications made to a slapd.conf file would have no
effect if cn=config is in use.
As an aside I would note that OpenLDAP 2.4.54 is rather old and that the
2.4 release series is historic and no longer supported. You may wish to
avail yourself of the free replacement packages for RHEL7 that are provided
by Symas at <https://repo.symas.com/soldap/> which are linked to a current
release of OpenSSL vs the ancient RHEL7 openssl, and are also for the
current supported OpenLDAP 2.6 release series. If you are insistent on
using the historic unsupported OpenLDAP 2.4 release, we also have free
replacement packages providing OpenLDAP 2.4.59 on RHEL7 at
<https://repo.symas.com/sofl/rhel7/>.
Regards,
Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
