On 20 Oct 20:21, Bob Beck wrote: > On 20 Oct 21:01, Uwe Werler wrote: > > Hi folks, > > > > before opening a bug report I'll ask here because I want to make sure that I > > have not missed something. > > You should probably submit a real bug report instead of jumping to > conclusions on misc@
Hi Bob, it was in the middle of the night and I got quite kinda stressed because all services depending on our ldap proxy stopped working after the upgrade and it took me a while to figure the problem out. But as in 99.9% of the cases I wanted to be sure that the problem sits not between screen and keyboard because I missed or misconfigured something. Will open a proper bug report now. > > > > > With the upgrade to 6.8 my cert validation seems to be broken because the > > hashed certs in /etc/ssl/certs are not honored anymore. I usually stored our > > L1 and L2 ca certs in /etc/ssl/certs and hashed them with "openssl > > certhash". > > That worked for all my machines until 6.7 but broke with 6.8. Adding the ca > > certs to /etc/ssl/cert.pem works. > > > > Did I miss something? I guess something changed during k2k20 in "certificate > > chain validation in libcrypto"? > > > > Thanks and with kind regards. > > > > Uwe > > > ... > >Mmh, it seems to me that libssl is broken. After the upgrade to 6.8 my > >openldap proxies were screwed too. I configured explicitely > > > >olcTLSCACertificatePath: /etc/ssl/certs > > > >But that broke so I had to change to: > > "Broke".. how? The certificate chain can't be verified anymore so ldap connections (server - server and client - server) can't be established anymore. > > > >olcTLSCACertificateFile: /etc/ssl/cert.pem > > > >... and I had to change also /etc/openldap/ldap.conf from: > > > >TLS_CACERTDIR /etc/ssl/certs > > > >to > > > >TLS_CACERT /etc/ssl/cert.pem > > > >to keep syncrepl running. > > You are a little bit thin on details here. The changes in the validator > should not affect the loading of your certificates. slapd acts as a ldap client for syncreplication to work and is therefore configured via /etc/openldap/ldap.conf. But because the validation stopped working syncrepl also stopped working. > > Are you using openldap from packages or something else? Yes, always from ports. > > So please pass on some details and perhaps a succint way to reproduce > and include the error messages you see. Probably as a real bug report > instead of misc discussions. > Yes, I open now a bug report. mbk Uwe
