Sent: Tue Jun 12 2012 12:08:52 GMT-0400 (EDT)
From: Patrick Hemmer <openl...@stormcloud9.net>
To: openldap-technical@openldap.org
Subject: TLS issues when setting olcTLSCACertificateFile to the CA bundle
Whenever I set olcTLSCACertificateFile to
/etc/pki/tls/certs/ca-bundle.crt LDAP clients get cert errors
connecting to the server. But it works fine when I point
olcTLSCACertificateFile at the actual server cert instead of the CA
bundle.
With olcTLSCACertificateFile pointed at /etc/pki/tls/certs/ca-bundle.crt:
CLIENT:
# LDAPTLS_CACERT=/etc/pki/tls/certs/ca-bundle.crt ldapsearch -H
'ldap://fqdn.to.my.server' -ZZ -x -b '' -s base '+'
ldap_start_tls: Connect error (-11)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (unable
to get local issuer certificate)
SERVER (from "slapd -d conns"):
TLS: can't accept: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
alert unknown ca.
Why is this happening. olcTLSCACertificateFile is supposed to control
the certificates that OpenLDAP will recognize, not affect the
certificate it gives to clients (right?).
This is OpenLDAP 2.4.31
-Patrick
So I found the cause of this issue. What is happening is that I have the
chain cert bundled in with the server's cert. Apparently the chain cert
MUST be placed in the file referenced by olcTLSCACertificateFile.
However this now introduces a problem. We are requiring client
certificates for all connections, and we are using our own CA cert to
sign the client certs, and then telling OpenLDAP to trust only our CA.
However by having to add the chain cert to the CAs that OpenLDAP will
recognize, other clients signed with that chain cert can now connect,
not just clients signed with our CA.
OpenLDAP does not appear to have any method for specifying that a cert
file should only be used as the chain cert of the server's certificate.
While browsing around trying to understand exactly what was going on, I
found other projects like apache httpd have configuration parameters (
SSLCertificateChainFile) to specify chain cert files for exactly this
reason. Is there any particular reason OpenLDAP does not have this
capability?