Am 09.02.2017 um 21:52 schrieb Quanah Gibson-Mount: > So it is not clear to me what happens if you use both. ;) I've certainly > never tried that. Since you are using both, did you correctly "hash" the CA > certs in the directory you pointed at?
that's the point: the directory is empty! I configured cert + intermediate but never a root. Some magic default will grab it from a default location and that's what I tried to avoid by setting "TLSCACertificatePath /path/to/an/empty/directory/" just removed TLSCACertificatePath from my config but that doesn't change anything. some more tests later I now verified: no matter if TLSCACertificatePath is set or not if /etc/ssl/certs/ contain correctly "hashed" the certificate representing the root it's delivered as third certificate in the SSL handshake. /etc/ssl/certs/ is the compiled default of my openssl: $ openssl version -d OPENSSLDIR: "/usr/lib/ssl" $ ls -l /usr/lib/ssl insgesamt 4 lrwxrwxrwx 1 root root 14 Jan 8 2015 certs -> /etc/ssl/certs drwxr-xr-x 2 root root 4096 Jan 29 21:44 misc lrwxrwxrwx 1 root root 20 Jan 27 00:40 openssl.cnf -> /etc/ssl/openssl.cnf lrwxrwxrwx 1 root root 16 Jan 8 2015 private -> /etc/ssl/private So my guess: openldap not call an important openssl library function and so openssl use it's defaults. Andreas
