[Pkg-openldap-devel] Bug#837341: Bug#837341: libldap fails to connect to ldaps servers without the ca-certificates package installed

[Ryan Tandy]

Control: tag -1 confirmed

On Sat, Sep 10, 2016 at 09:37:17PM +0300, Tero Marttila wrote:
>The package libldap-2.4-2 ships a default configuration file for 
>/etc/ldap/ldap.conf with the following:
>
>>TLS_CACERT      /etc/ssl/certs/ca-certificates.crt
>
>It appears that libldap fails to connect to any ldaps servers if the 
>ca-certificates.crt file is missing, even if using 'TLS_REQCERT 
>allow'. Installing the ca-certificates package allows the connection 
>to succeed.

Thanks for the detailed report. Reproduced here, exactly as you said.

Looks like what's happening is gnutls_certificate_set_x509_trust_file() 
returns an error, and we bail out straight away. TLS_REQCERT allow does 
indeed work as advertised with cert errors during the handshake, but we 
never make it to that point.

I don't think redefining TLS_REQCERT to permit this invalid 
configuration would be the right thing to do, but there's certainly room 
for improved logging here.

>I suspect that the libldap package should have a Depends: on the 
>ca-certificates package if this file is required for the correct 
>operation of libldap?

I don't think that would be correct, as the library operates just fine 
if you comment out that default or point it at your own CA store.

In unstable, it looks like gnutls is now built with a default system 
trust store configured, so we may be able to drop that TLS_CACERT 
default altogether. I'll look into that.