On Wed, Aug 09, 2017 at 07:47:06PM +0200, r0m5 wrote:
Yes so far "TLS_REQCERT allow" on the PHP applications' OS because the
OpenLDAP consumers certs are still self-signed.

Indeed I saw #8385 linked in ITS#8427. From my understanding #8385 deals
with certificate validation using libldap. php5-ldap depends on libldap
and the versions of libldap install on our php frontends are old
(jessie...).

I'm actually about to propose an update for stretch including that fix along with some others (and will update jessie-backports once it's released for stretch). I hadn't intended to backport it as far as jessie, but I have some other changes pending for jessie as well so I may as well include it.

So I will also make sure that the PHP frontends trust the CA that will
sign the new LDAP consumer's certificates. I guess that should solve the
STARTTLS problems from application to consumer the same way it (looks
like it) solved the STARTTLS problems from consumers to providers.

Yes, it should.

Reply via email to