pfSense

See #9433 for an additional example of a problem case solved by this patch

2.4.4-p3

This all seems to work. It also seems much more consistent as posited in the description. I did a lot of bouncing around between SSL/636, STARTTLS, Clear, making changes to the server capabilities and requirements and everything seemed to happen as expected.

Much improved. Thank you.

It looks like LDAP_OPT_X_TLS_CACERTDIR and LDAP_OPT_X_TLS_CACERTFILE are being set but for some reason not honored as they should be. I can retrieve the set values with ldap_get_option(), but the connection still fails to validate the CA even though the correct file is in place. Checking with the exact same CA file at the CLI using s_client shows the CA as valid.

There was a PHP bug filed a long time ago, but was closed for lack of feedback: https://bugs.php.net/bug.php?id=73558
A couple other similar posts around but nothing concrete either way.

Will keep testing on 2.5.0 but this may need backed out entirely, or at least reworked so the old style is only used for self-signed.

This is working better but today I'm seeing some inconsistencies in the behavior. I can flip back and forth between testing two LDAP servers with different CAs and most of the time they both work, but some results return a failure. Packet capture shows that when it fails, it's an "unknown CA" error. So somehow it still appears to be confusing the LDAP environments.

The functions setting the values succeed, but there also doesn't seem to be any function which can read the values of the LDAP_OPT_X_TLS_CACERTDIR / LDAP_OPT_X_TLS_CACERTFILE variables since they use a NULL resource identifier.

See also: #10704