Bug 1270678 - [SSL] Use system trusted CA store by default
Summary: [SSL] Use system trusted CA store by default
Alias: None
Product: Fedora
Classification: Fedora
Component: openldap
Version: 27
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Matus Honek
QA Contact: Fedora Extras Quality Assurance
: 1352876 1426177 (view as bug list)
Depends On:
Blocks: 1249781 1255651
TreeView+ depends on / blocked
Reported: 2015-10-12 06:34 UTC by Alon Bar-Lev
Modified: 2018-07-20 11:30 UTC (History)
8 users (show)

Fixed In Version: openldap-2.4.45-11.fc28
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2018-02-21 16:58:57 UTC
Type: Bug

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1537259 0 unspecified CLOSED OpenLDAP defaults to use only Shared System Certificates 2021-02-22 00:41:40 UTC

Internal Links: 1537259

Description Alon Bar-Lev 2015-10-12 06:34:35 UTC
Currently /etc/openldap/ldap.conf has the following reference to CA store:

  TLS_CACERTDIR /etc/openldap/cacerts

This is a specific store for openldap in openssl's nss certdir. By default this directory has an empty database.

# certutil -L -d /etc/openldap/certs/

Certificate Nickname                                         Trust Attributes
ldapsearch and other utilities cannot be used to access ssl/startTLS servers with valid system wide trusted certificate chains.

ca-certificates package provide update-ca-trust utility to manage the system trust, for openssl it manages /etc/pki/tls/certs/ca-bundle.crt (/etc/ssl/certs which is symlink to /etc/pki/tls/certs),  openldap uses openssl.

openldap package can be integrated to use this system wide store by adding the following into /etc/openldap/ldap.conf:

  TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt

Or by updating ca-certificates package to also manage nss store in addition to openssl.

Integrating openldap into the system wide trust by default will enable easier and more secure management of system trust.

Comment 2 Fedora End Of Life 2016-07-19 18:11:08 UTC
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this

Thank you for reporting this bug and we are sorry it could not be fixed.

Comment 3 Matus Honek 2016-09-14 14:59:42 UTC
This is correct. We should implement this (per https://fedoraproject.org/wiki/Features/SharedSystemCertificates). I am changing bug's version to RAWHIDE as it should not change already established defaults.

Comment 4 Matus Honek 2016-09-14 15:01:40 UTC
*** Bug 1352876 has been marked as a duplicate of this bug. ***

Comment 5 Fedora End Of Life 2017-02-28 09:49:46 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 26 development cycle.
Changing version to '26'.

Comment 6 Matus Honek 2017-04-07 10:18:11 UTC
*** Bug 1426177 has been marked as a duplicate of this bug. ***

Comment 7 Jan Kurik 2017-08-15 09:01:47 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle.
Changing version to '27'.

Note You need to log in before you can comment on or make changes to this bug.