Am 30.01.2017 um 21:49 schrieb Quanah Gibson-Mount:
> For this testing call, we particularly need folks to test OpenLDAP with
> startTLS/LDAPS when compiled against OpenSSL (both pre 1.1 series and with
> the 1.1 series).
Hello,
nearly a week I now run that release without any noise.
It's compiled against openssl-1.1.0d and run on a ipv6 only host.
but: it's a small private server, no load, no replication...
One point is worth to mention:
I exposed the server also on port 443 and did a scan with ssllabs.com.
While I'm pretty sure to configure certificates properly,
ssllabs proof, the server deliver not only certificate and intermediate
but also the root as part of the initial SSL handshake.
my TLS settings are:
TLSCertificateFile /path/to/cert.pem
TLSCertificateKeyFile /path/to/key.pem
TLSCACertificateFile /path/to/intermediate.pem
TLSCACertificatePath /path/to/an/empty/directory/
TLSProtocolMin 3.3
$ openssl x509 -noout -in /path/to/cert.pem -issuer -subject
issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
subject= /CN=ldap-test.example.org
$openssl x509 -noout -in /path/to/intermediate.pem -issuer -subject
issuer= /O=Digital Signature Trust Co./CN=DST Root CA X3
subject= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
a manual test using openssl s_client also proof the root is wrongly delivered:
$ echo | openssl11 s_client -connect ldap-test.example.org:443 -showcerts
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = ldap-test.example.org
verify return:1
---
Certificate chain
...
Ultimate features would be OCSP stapling ( OK, no ldap client currently
implement that )
and setting ecdh_curve via SSL_CTX_set1_curves_list
Andreas
