Mailinglist Archive: opensuse-bugs (4284 mails)

< Previous Next >
[Bug 1039955] openldap/TLS not checking CA store per default
  • From: bugzilla_noreply@xxxxxxxxxx
  • Date: Mon, 22 May 2017 07:53:28 +0000
  • Message-id: <bug-1039955-21960-h2OxjeUibC@http.bugzilla.suse.com/>
http://bugzilla.suse.com/show_bug.cgi?id=1039955
http://bugzilla.suse.com/show_bug.cgi?id=1039955#c1

--- Comment #1 from Howard Guo <hguo@xxxxxxxx> ---
Hello Jens.

OpenLDAP deals with TLS CA store in a rather unconventional way, take a look a
this similar bug report:

https://bugzilla.suse.com/show_bug.cgi?id=1009470

"For quite a while I suspected that OpenLDAP did something wrong when it comes
to loading CA certificates from user specified locations, and today I found out
that OpenLDAP indeed made a mistake in its TLS configuration mechanism.

The TLS configuration deliberately hid the error in case that user specified CA
locations cannot be read, by loading CAs from default locations; and when user
does not specify CA locations, the CAs from default locations are not read at
all."

The issue was resolved for opensuse factory, unfortunately Leap inherited the
package from SLES and resolving the issue for SLES carries a small risk of
breaking existing deployment.

You did the right thing by explicitly specifying CA file/dir.

--
You are receiving this mail because:
You are on the CC list for the bug.
< Previous Next >