Re: Antw: Intermediate certificates not being sent

Fri, 29 Jul 2016 05:28:19 -0700 


On 7/28/2016 8:41 AM, Howard Chu wrote:

Nat Sincheler wrote:



On 7/27/2016 11:19 PM, Ulrich Windl wrote:

Nat Sincheler <[email protected]> schrieb am 26.07.2016 um
17:20 in

Nachricht <[email protected]>:



On 7/25/2016 11:24 PM, Ulrich Windl wrote:

Nat Sincheler <[email protected]> schrieb am 25.07.2016 um
19:06 in

Nachricht <[email protected]>:

We have an OpenLDAP server that is listening on port 636 over ldaps.
When I run

   openssl s_client -showcerts -connect ldap-server:636

I only see the host certificate. The intermediate and root
certificates
do *not* come through.


If I di that on one of outr servers, I get:
Root CA
Intermediate CA
Server Certificate

...
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit



For this server I have in the file slapd.d/cn=config.ldif the setting

olcTLSCACertificatePath: /etc/ssl/certs


Hi!

Here it works with these settings:
olcTLSCACertificatePath: /etc/ssl/certs
olcTLSCertificateFile: /etc/ssl/servercerts/slapd.pem
olcTLSCertificateKeyFile: /etc/ssl/private/slapd.key

Could it be a permissions problem? Did you try to check the
certificate

chain with openssl (preferrable as LDAP user)?

When I run the openssl s_client command I get no errors, but I also get
no intermediate or root certificates sent. I see this in the output:
"No
client certificate CA names sent".


Hi!

To me it looks like a problem with your certificates. Try to verify them
using openssl, like this:
openssl verify -CApath /etc/ssl/certs -verbose
/etc/ssl/servercerts/slapd.pem
/etc/ssl/servercerts/slapd.pem: OK


%  grep -R Certificate *.ldif

olcTLSCACertificatePath: /etc/ssl/certs
olcTLSCertificateFile: /etc/ssl/certs/server.pem
olcTLSCertificateKeyFile: /etc/ssl/private/server.key

% directory2:/etc/ldap# openssl verify -CApath /etc/ssl/certs -verbose
/etc/ssl/certs/server.pem

/etc/ssl/certs/server.pem: OK

So, the openssl command line can find the certificate chain. Why can't
openldap?


If your OpenLDAP build is not behaving the same as your OpenSSL build,
then most likely your OpenLDAP was not built with OpenSSL. Otherwise,
their behavior would match.

You never provided essential information such as OS platform and
OpenLDAP version, so nobody can give you definitive answers.




We are using version 2.4.42 of OpenLDAP compiled on Debian jessie which 
use GnuTLS rather than OpenSSL.



























					Reply via email to