On 2020-11-16, Brad Smith <b...@comstyle.com> wrote: > On 11/16/2020 12:08 AM, Paul B. Henson wrote: >> I just updated one of my servers running 6.7 to 6.8, and am having a >> problem with openldap. I have the intermediate cert and root CA in a >> file referenced by the openldap config: >> >> TLSCACertificateFile /etc/openldap/cabundle.crt >> >> Under 6.7 with the openldap port from that version, this results in the >> chain being served: >> >> Certificate chain >> 0 s:CN = ldap-netsvc.pbhware.com >> i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 >> 1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 >> i:O = Digital Signature Trust Co., CN = DST Root CA X3 >> 2 s:O = Digital Signature Trust Co., CN = DST Root CA X3 >> i:O = Digital Signature Trust Co., CN = DST Root CA X3 >> >> However, under 6.8 with the newer openldap 2.4.53 port, only the server >> cert itself is being served, not the intermediate or root: >> >> Certificate chain >> 0 s:CN = ldap-netsvc.pbhware.com >> i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 >> >> This of course causes clients to fail to validate the server cert :(. >> >> I'm running openldap 2.4.53 on other operating systems and as far as I >> know there's no change in behavior with it. So I'm guessing there's an >> interoperability issue between openbsd libressl and openldap that's >> causing this problem? >> >> Do I need to configure something differently? Any other suggestions? >> >> Thanks much... > > > I remember seeing this commit recently. Not sure if this is your problem > or not. > > https://marc.info/?l=openbsd-cvs&m=160511882917510&w=2 > >
Yes OpenLDAP is broken with TLS 1.3 server-side unless you have that commit (or build LibreSSL with TLS 1.3 server support disabled). As far as I can tell there's no method to disable TLS 1.3 via config.
