Reduce verify to 2 and check only agains /etc/ssl/certs (#162)

Checking against locally installed certificate (CAfile) makes it impossible to switch server certificate without touching stunnel configuration.
zalando · May 8, 2017 · 551915e · 551915e
1 parent bf2dc6e
commit 551915e
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 145 deletions.
diff --git a/postgres-appliance/configure_spilo.py b/postgres-appliance/configure_spilo.py
@@ -428,8 +428,8 @@ def write_ldap_configuration(placeholders, overwrite):
 connect = {0}:{1}
 client = yes
 accept = 389
-verify = 3
-CAfile = /etc/stunnel/chain.pem
+verify = 2
+CApath = /etc/ssl/certs
 """.format(host, port)
     write_file(stunnel_config, '/etc/stunnel/ldap.conf', overwrite)
 

diff --git a/postgres-appliance/stunnel.d/chain.pem b/postgres-appliance/stunnel.d/chain.pem