>>> Mark Cairney <[email protected]> schrieb am 11.04.2019 um 13:35 in Nachricht <[email protected]>: > Hi, > > Having just updated our SSL certificates on our OpenLDAP server led us > to review the contents of our "bundle" file referenced in > "olcTLSCACertificateFile". > > According to the documentation at: > https://www.openldap.org/doc/admin24/tls.html it states "This directive > specifies the PEM-format file containing certificates for the CA's that > slapd will trust. The certificate for the CA that signed the server > certificate must be included among these certificates. If the signing CA > was not a top-level (root) CA, certificates for the entire sequence of > CA's from the signing CA to the top-level CA should be present. Multiple > certificates are simply appended to the file; the order is not significant." > > However based on our understanding of how SSL works we should only > actually need the intermediate(s) in there as the client should have the > root and then compare the intermediate provided by the server and only > trust it if it can use this in conjunction with it's copy of the root > certificate to complete the chain of trust.
With the same argumentation you could also omit the intermediate CAs (you can trust an intermediate CA as well). > > Based on this we configure our web servers to only have the > intermediate(s) in their chain (and in fact SSL Labs marks you down if > you have the root in there too). > > Of course we do realise LDAP is not HTTP! > > We're running OpenLDAP 2.4.47 linked against OpenSSL on Scientific Linux > 7.5. > > Kind regards, > Mark > > -- > /**************************** > > Mark Cairney > ITI Enterprise Services > Information Services > University of Edinburgh > > Tel: 0131 650 6565 > Email: [email protected] > PGP: 0x435A9621 > > *******************************/ > > The University of Edinburgh is a charitable body, registered in > Scotland, with registration number SC005336.
