Re: OpenLDAP under 6.8 - no intermediate certs in chain
On 11/16/2020 6:52 AM, Stuart Henderson wrote: ...actually I have now added a workaround to the databases/openldap port in 6.8-stable to disable TLS 1.3, so either rebuild or wait for -stable packages and it should fix things. Cool, I was actually already building from source in order to enable modules. I updated my ports tree and rebuilt, looks good now, thanks much for the quick fix. It still does behave a little bit differently; under 6.7 it was including the root CA in the chain sent by the server, under 6.8 it is only including the intermediate, not the root. Which I actually prefer, as sending the root is a waste of time, the client needs to have that itself anyway in order to validate the chain in the first place.
Re: OpenLDAP under 6.8 - no intermediate certs in chain
On 11/16/2020 2:30 AM, Stuart Henderson wrote: Yes OpenLDAP is broken with TLS 1.3 server-side unless you have that commit (or build LibreSSL with TLS 1.3 server support disabled). As far as I can tell there's no method to disable TLS 1.3 via config. Hmm, yah, you can disable old versions, but I don't think there is any way to disable newer ones.
Re: OpenLDAP under 6.8 - no intermediate certs in chain
On 11/15/2020 10:18 PM, Brad Smith wrote: I remember seeing this commit recently. Not sure if this is your problem or not. https://marc.info/?l=openbsd-cvs=160511882917510=2 That definitely looks like it, thanks for the pointer.
Re: OpenLDAP under 6.8 - no intermediate certs in chain
On 2020-11-16, Stuart Henderson wrote: > Yes OpenLDAP is broken with TLS 1.3 server-side unless you have that > commit (or build LibreSSL with TLS 1.3 server support disabled). As far > as I can tell there's no method to disable TLS 1.3 via config. ...actually I have now added a workaround to the databases/openldap port in 6.8-stable to disable TLS 1.3, so either rebuild or wait for -stable packages and it should fix things.
Re: OpenLDAP under 6.8 - no intermediate certs in chain
On 2020-11-16, Brad Smith wrote: > On 11/16/2020 12:08 AM, Paul B. Henson wrote: >> I just updated one of my servers running 6.7 to 6.8, and am having a >> problem with openldap. I have the intermediate cert and root CA in a >> file referenced by the openldap config: >> >> TLSCACertificateFile/etc/openldap/cabundle.crt >> >> Under 6.7 with the openldap port from that version, this results in the >> chain being served: >> >> Certificate chain >> 0 s:CN = ldap-netsvc.pbhware.com >> i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 >> 1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 >> i:O = Digital Signature Trust Co., CN = DST Root CA X3 >> 2 s:O = Digital Signature Trust Co., CN = DST Root CA X3 >> i:O = Digital Signature Trust Co., CN = DST Root CA X3 >> >> However, under 6.8 with the newer openldap 2.4.53 port, only the server >> cert itself is being served, not the intermediate or root: >> >> Certificate chain >> 0 s:CN = ldap-netsvc.pbhware.com >> i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 >> >> This of course causes clients to fail to validate the server cert :(. >> >> I'm running openldap 2.4.53 on other operating systems and as far as I >> know there's no change in behavior with it. So I'm guessing there's an >> interoperability issue between openbsd libressl and openldap that's >> causing this problem? >> >> Do I need to configure something differently? Any other suggestions? >> >> Thanks much... > > > I remember seeing this commit recently. Not sure if this is your problem > or not. > > https://marc.info/?l=openbsd-cvs=160511882917510=2 > > Yes OpenLDAP is broken with TLS 1.3 server-side unless you have that commit (or build LibreSSL with TLS 1.3 server support disabled). As far as I can tell there's no method to disable TLS 1.3 via config.
Re: OpenLDAP under 6.8 - no intermediate certs in chain
On 11/16/2020 12:08 AM, Paul B. Henson wrote: I just updated one of my servers running 6.7 to 6.8, and am having a problem with openldap. I have the intermediate cert and root CA in a file referenced by the openldap config: TLSCACertificateFile/etc/openldap/cabundle.crt Under 6.7 with the openldap port from that version, this results in the chain being served: Certificate chain 0 s:CN = ldap-netsvc.pbhware.com i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 i:O = Digital Signature Trust Co., CN = DST Root CA X3 2 s:O = Digital Signature Trust Co., CN = DST Root CA X3 i:O = Digital Signature Trust Co., CN = DST Root CA X3 However, under 6.8 with the newer openldap 2.4.53 port, only the server cert itself is being served, not the intermediate or root: Certificate chain 0 s:CN = ldap-netsvc.pbhware.com i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 This of course causes clients to fail to validate the server cert :(. I'm running openldap 2.4.53 on other operating systems and as far as I know there's no change in behavior with it. So I'm guessing there's an interoperability issue between openbsd libressl and openldap that's causing this problem? Do I need to configure something differently? Any other suggestions? Thanks much... I remember seeing this commit recently. Not sure if this is your problem or not. https://marc.info/?l=openbsd-cvs=160511882917510=2
