Hello,
Could you help me understanding how to configure 389-ds to enable CRL checking at TLS
authentication ?
I am working on the master/master replication between two instances.
The TLS communication thanks to certificate works without problem but the CRL url is
ignored.
By checking the source code of 389-ds-base, I found the configuration item
"nsslapd-tls-check-crl".
I set this item to "peer" mode in order to check the CRL referenced in the
received certificate.
Note: This option is not described in the "Configuration, Command, and File
Reference" documentation.
After this configuration, each time a TLS communication is initiated, this communication
fails with the following error :
ERR - NSMMReplicationPlugin - bind_and_check_pwp -
agmt="cn=agreement-ldap1-to-ldap2" (ldap2-server:389) - Replication bind with
SIMPLE auth failed: LDAP error -11 (Connect error) (error:1416F086:SSL
routines:tls_process_server_certificate:certificate verify failed (unable to get
certificate CRL))
I try to initiate the TLS communication with certificates that do not containt the CRL
url. The communication fails.
I check that the CRL is available thanks to a wget command.
I found a ticket
https://bugzilla.redhat.com/show_bug.cgi?id=1541108 indicating a bug on
the CRL management. The reported bug is the same error that I have encountered.
However, this bug is reported as fixed in the 1.3.7.5 version of 389-ds-base and I am
working with the 2.0.1 version of 389-ds (operating system : Opensuse 15.2)
I suppose that more configuration should be performed in my setup.
Thanks.