[prev in list] [next in list] [prev in thread] [next in thread]
List: openldap-technical
Subject: Re: ssl certificate chain
From: "Heinemann, Peter G" <phei () isc ! upenn ! edu>
Date: 2020-06-04 19:23:49
Message-ID: BL0PR10MB2803D6F41E485D8B4EEA377E83890 () BL0PR10MB2803 ! namprd10 ! prod ! outlook ! com
[Download RAW message or body]
Thanks, all, for your responses. Ayer's blog entry and the twitter link it=
had the root (heh) explanation we were looking for.
We did in fact import the new root cert into the nss database as a way to g=
et the broken applications to work. I'm going to continue to try the black=
list approach outlined in Christian Heimes' tweet.
Howard, I kinda figured this wasn't actually an openldap issue; do you st=
ill want the full output?
________________________________
From: Howard Chu <hyc@symas.com>
Sent: Wednesday, June 3, 2020 2:44 PM
To: Dale Thompson - NOAA Federal <dale.j.thompson@noaa.gov>; openldap-techn=
ical@openldap.org <openldap-technical@openldap.org>
Subject: Re: ssl certificate chain
Dale Thompson - NOAA Federal wrote:
> I'm not certain the hack redhat added to force openldap to use nss actual=
ly causes openldap to use the nss cert store. My rhel6 openldap servers app=
ear to just
> use the PEM certs they would have used as if redhat never messed with for=
cing openldap to use nss, but rather left it at openssl. I did check and sl=
apd is
> linked against the nss libs, but using the pem file in /etc/openldap/cace=
rts.
>
> The fix for this might be as simple as linking the PEM version of the up=
dated cert store into the directory where openldap is looking.
Redhat adds a custom PKCS#11 module to their NSS that lets it use PEM files=
. So it can use either
their usual certificate DBs or plain PEM files.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
[Attachment #3 (text/html)]
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} \
</style> </head>
<body dir="ltr">
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; \
color: rgb(0, 0, 0);"> Thanks, all, for your responses. Ayer's blog entry and \
the twitter link it had the root (heh) explanation we were looking for.</div> <div \
style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: \
rgb(0, 0, 0);"> <br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; \
color: rgb(0, 0, 0);"> We did in fact import the new root cert into the nss database \
as a way to get the broken applications to work. I'm going to continue to try \
the blacklist approach outlined in Christian Heimes' tweet.</div> <div \
style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: \
rgb(0, 0, 0);"> <br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; \
color: rgb(0, 0, 0);"> Howard, I kinda figured this wasn't actually an openldap \
issue; do you still want the full output?</div> <div id="appendonsend"></div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" \
style="font-size:11pt" color="#000000"><b>From:</b> Howard Chu \
<hyc@symas.com><br> <b>Sent:</b> Wednesday, June 3, 2020 2:44 PM<br>
<b>To:</b> Dale Thompson - NOAA Federal <dale.j.thompson@noaa.gov>; \
openldap-technical@openldap.org <openldap-technical@openldap.org><br> \
<b>Subject:</b> Re: ssl certificate chain</font> <div> </div>
</div>
<div class="BodyFragment"><font size="2"><span style="font-size:11pt;">
<div class="PlainText">Dale Thompson - NOAA Federal wrote:<br>
> I'm not certain the hack redhat added to force openldap to use nss actually \
causes openldap to use the nss cert store. My rhel6 openldap servers appear to \
just<br> > use the PEM certs they would have used as if redhat never messed with \
forcing openldap to use nss, but rather left it at openssl. I did check and slapd \
is<br> > linked against the nss libs, but using the pem file in \
/etc/openldap/cacerts.<br> > <br>
> The fix for this might be as simple as linking the PEM version of the \
updated cert store into the directory where openldap is looking.<br> <br>
Redhat adds a custom PKCS#11 module to their NSS that lets it use PEM files. So it \
can use either<br> their usual certificate DBs or plain PEM files.<br>
<br>
-- <br>
-- Howard Chu<br>
CTO, Symas Corp. \
<a href="http://www.symas.com">http://www.symas.com</a><br> Director, Highland \
Sun <a \
href="http://highlandsun.com/hyc/">http://highlandsun.com/hyc/</a><br> Chief \
Architect, OpenLDAP <a \
href="http://www.openldap.org/project/">http://www.openldap.org/project/</a><br> \
</div> </span></font></div>
</body>
</html>
[prev in list] [next in list] [prev in thread] [next in thread]