Hello, Could you help me understanding how to configure 389-ds to enable CRL checking at TLS authentication ? I am working on the master/master replication between two instances. The TLS communication thanks to certificate works without problem but the CRL url is ignored. By checking the source code of 389-ds-base, I found the configuration item "nsslapd-tls-check-crl". I set this item to "peer" mode in order to check the CRL referenced in the received certificate. Note: This option is not described in the "Configuration, Command, and File Reference" documentation. After this configuration, each time a TLS communication is initiated, this communication fails with the following error : ERR - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=agreement-ldap1-to-ldap2" (ldap2-server:389) - Replication bind with SIMPLE auth failed: LDAP error -11 (Connect error) (error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (unable to get certificate CRL)) I try to initiate the TLS communication with certificates that do not containt the CRL url. The communication fails. I check that the CRL is available thanks to a wget command. I found a ticket https://bugzilla.redhat.com/show_bug.cgi?id=1541108 indicating a bug on the CRL management. The reported bug is the same error that I have encountered. However, this bug is reported as fixed in the 1.3.7.5 version of 389-ds-base and I am working with the 2.0.1 version of 389-ds (operating system : Opensuse 15.2) I suppose that more configuration should be performed in my setup. Thanks. _______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
