Control: tag -1 confirmed
On Sat, Sep 10, 2016 at 09:37:17PM +0300, Tero Marttila wrote:
The package libldap-2.4-2 ships a default configuration file for
/etc/ldap/ldap.conf with the following:
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
It appears that libldap fails to connect to any ldaps servers if the
ca-certificates.crt file is missing, even if using 'TLS_REQCERT
allow'. Installing the ca-certificates package allows the connection
to succeed.
Thanks for the detailed report. Reproduced here, exactly as you said.
Looks like what's happening is gnutls_certificate_set_x509_trust_file()
returns an error, and we bail out straight away. TLS_REQCERT allow does
indeed work as advertised with cert errors during the handshake, but we
never make it to that point.
I don't think redefining TLS_REQCERT to permit this invalid
configuration would be the right thing to do, but there's certainly room
for improved logging here.
I suspect that the libldap package should have a Depends: on the
ca-certificates package if this file is required for the correct
operation of libldap?
I don't think that would be correct, as the library operates just fine
if you comment out that default or point it at your own CA store.
In unstable, it looks like gnutls is now built with a default system
trust store configured, so we may be able to drop that TLS_CACERT
default altogether. I'll look into that.