On 20 Oct 21:01, Uwe Werler wrote: > Hi folks, > > before opening a bug report I'll ask here because I want to make sure that I > have not missed something.
You should probably submit a real bug report instead of jumping to conclusions on misc@ > > With the upgrade to 6.8 my cert validation seems to be broken because the > hashed certs in /etc/ssl/certs are not honored anymore. I usually stored our > L1 and L2 ca certs in /etc/ssl/certs and hashed them with "openssl certhash". > That worked for all my machines until 6.7 but broke with 6.8. Adding the ca > certs to /etc/ssl/cert.pem works. > > Did I miss something? I guess something changed during k2k20 in "certificate > chain validation in libcrypto"? > > Thanks and with kind regards. > > Uwe > ... >Mmh, it seems to me that libssl is broken. After the upgrade to 6.8 my >openldap proxies were screwed too. I configured explicitely > >olcTLSCACertificatePath: /etc/ssl/certs > >But that broke so I had to change to: "Broke".. how? >olcTLSCACertificateFile: /etc/ssl/cert.pem > >... and I had to change also /etc/openldap/ldap.conf from: > >TLS_CACERTDIR /etc/ssl/certs > >to > >TLS_CACERT /etc/ssl/cert.pem > >to keep syncrepl running. You are a little bit thin on details here. The changes in the validator should not affect the loading of your certificates. Are you using openldap from packages or something else? So please pass on some details and perhaps a succint way to reproduce and include the error messages you see. Probably as a real bug report instead of misc discussions.
