[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5515) v2.4.9 + GnuTLS fails with wildcard certificate, OpenSSL works correctly

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#5515) v2.4.9 + GnuTLS fails with wildcard certificate, OpenSSL works correctly
From: hyc@symas.com
Date: Sun, 18 May 2008 06:24:56 GMT

bgoldsbury@gleim.com wrote:
> Full_Name: Ben Goldsbury
> Version: 2.4.9
> OS: Debian
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (209.208.68.2)
>
>
> When OpenLDAP 2.4.9 is compiled against GnuTLS (version 2.2.1 in my testing) and
> using a valid Wildcard SSL certificate, TLS connections to OpenLDAP fail with:
>
> TLS certificate verification: Error, unable to get local issuer certificate
>
> When OpenLDAP 2.4.9 is compiled against OpenSSL (version 0.9.8c in my testing)
> and using the same certificate, connections work properly.
>
> Please contact me if you need any additional information.

This sounds an awful lot like ITS#5361, which is a known defect in GnuTLS.

What exactly do you mean by "Wildcard SSL certificate" ? There are a couple 
different approaches to that. One uses the subjectAltName extension, and that 
is the officially sanctioned approach. One uses "*" in the certificate CN, and 
that is non-standard and generally not supposed to work.
-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Prev by Date: Re: (ITS#5513) back-ldap+ppolicy bind assertion failure
Next by Date: Re: (ITS#5513) back-ldap+ppolicy bind assertion failure
Index(es):
- Chronological
- Thread