Redmine

A possible 'fix' should be made optional. Not every company uses certificates issued by official certificate authorities. Their are enough self-signed certificates that still have to work.

Whether the certificate is self-signed, signed by an in-house CA, or signed by an "official" CA, doesn't matter. Redmine should attempt to check the validity of the cert against information on the local machine. Nothing about a self-signed cert precludes this.

I can't work out how to fix this myself, but one possible workaround is to use socat to proxy the LDAP port (389) on localhost to the real LDAPS service, validating the certificate along the way.

socat TCP4-LISTEN:389,bind=localhost,reuseaddr,fork,su=nobody OPENSSL:ldapserver.example.com:636,cafile=/etc/ssl/certs/ldapcert.pem &

Then point Redmine to localhost for LDAP (non TLS).

The 'fix' (which should really be on by default or you could be sending your passwords anywhere :/) can be made by changing

source:trunk/app/models/auth_source_ldap.rb@16773#L147

to something along the lines of

                :encryption => {
                   method: :simple_tls,
                   tls_options: OpenSSL::SSL::SSLContext::DEFAULT_PARAMS
                 }

(note I've removed the optional check of self.tls, this is purely for reference purposes!!!)

If the change above is made then the certificate will be verified correctly, if the certificate is self signed or not available in the operating system's certificate stores for some other reason then the instructions here explain how to install the relevant certificate.