atom feed30 messages in org.openldap.openldap-softwareRe: failover config: servers with sam...
FromSent OnAttachments
Emmanuel DreyfusJul 23, 2007 6:51 am 
Quanah Gibson-MountJul 23, 2007 11:01 am 
Emmanuel DreyfusJul 23, 2007 1:09 pm 
Quanah Gibson-MountJul 23, 2007 1:18 pm 
Russ AllberyJul 23, 2007 4:35 pm 
Christopher CowartJul 23, 2007 7:40 pm 
Howard ChuJul 23, 2007 9:58 pm 
Emmanuel DreyfusJul 24, 2007 1:02 am 
Howard ChuJul 24, 2007 1:54 am 
Emmanuel DreyfusJul 24, 2007 12:18 pm 
Quanah Gibson-MountJul 25, 2007 8:53 am 
Emmanuel DreyfusJul 25, 2007 9:07 am 
Quanah Gibson-MountJul 25, 2007 9:48 am 
Michael StröderJul 25, 2007 9:53 am 
Emmanuel DreyfusJul 25, 2007 10:36 am 
Quanah Gibson-MountJul 25, 2007 10:47 am 
Howard ChuJul 25, 2007 2:31 pm 
Michael StröderJul 25, 2007 2:39 pm 
Howard ChuJul 25, 2007 2:45 pm 
Russ AllberyJul 25, 2007 2:46 pm 
Norman GaywoodJul 25, 2007 3:04 pm 
Emmanuel DreyfusJul 25, 2007 8:31 pm 
Emmanuel DreyfusJul 25, 2007 8:31 pm 
Howard ChuJul 25, 2007 11:18 pm 
Ralf HaferkampJul 26, 2007 1:28 am 
Emmanuel DreyfusJul 26, 2007 4:04 am 
Emmanuel DreyfusJul 26, 2007 4:04 am 
Donn CaveJul 26, 2007 9:39 am 
Ralf HaferkampJul 26, 2007 11:47 am 
Howard ChuJul 27, 2007 2:14 am 
Subject:Re: failover config: servers with same DNS address and TLS, subjectAltName extension
From:Ralf Haferkamp (rha@suse.de)
Date:Jul 26, 2007 1:28:10 am
List:org.openldap.openldap-software

On Tuesday 24 July 2007 21:18, Emmanuel Dreyfus wrote:

Howard Chu <hy@symas.com> wrote:

When you run OpenLDAP's configure script you will see:

checking OpenSSL library version (CRL checking capability)... no

indicating that your OpenSSL library doesn't support it. Otherwise I suppose you would see in your OpenSSL release notes/docs.

Yes, I discovered HAVE_OPENSSL_CRL. The problem is that this test validates at mine, despite OpenSSL version (0.9.7d)

configure:19757: checking OpenSSL library version (CRL checking capability) configure:19791: result: yes

And then if I use TLS_CRLCHECK, LDAP operation will fail:

ldap_bind: Can't contact LDAP server (-1) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

I hope you'll agree with me that this is *very* misleading if CRL checks are not supposed to work with 0.9.7d.

They should work with 0.9.7d. IIRC that was the version I used when implementing CRL support. Note: As stated in the man-pages (ldap.conf(5) and slapd.conf(5)), when you want to use CRLs you have to specify a CACERTDIR. That directory has to be correctly hashed (using c_rehash).