Package: libldap-2.4-2 Version: 2.4.40+dfsg-1+deb8u2 Severity: important Dear Maintainer,
The behaviour of OpenLDAP CLI and library appears to be broken. There seems to be no way to allow invalid certificates (despite OpenLDAP library claiming that it should be possible). Most simple usecase: 1. Install slapd with non-default CA signed certificate 2. Try connect with openldap -Z -H ldap://server ... Expected behaviour Invalid cert ignored, and TLS continues Actual behaviour Failure with non-descriptive error, debug shows ldap_start_tls: Connect error (-11) Workaround, of course, is to install the non-standard CA as trusted CA certificate. But the man page *does* say that it really should work. The same behaviour occurs with direct LDAP library usage with int opt = LDAP_OPT_X_TLS_ALLOW; ldap_set_option(conn->conn, LDAP_OPT_X_TLS, &opt); ldap_set_option(conn->conn, LDAP_OPT_X_TLS_REQUIRE_CERT, &opt); Again, this should allow non-trusted certificate on peer, which is appears not to do. -- System Information: Debian Release: 8.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages libldap-2.4-2 depends on: ii libc6 2.19-18+deb8u3 ii libgnutls-deb0-28 3.3.8-6+deb8u3 ii libsasl2-2 2.1.26.dfsg1-13+deb8u1 ii multiarch-support 2.19-18+deb8u3 libldap-2.4-2 recommends no packages. libldap-2.4-2 suggests no packages. -- Configuration Files: /etc/ldap/ldap.conf changed: TLS_CACERT /etc/ldap/certs.pem TLS_REQCERT allow TLS_CRLCHECK none -- no debconf information

