[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5515) v2.4.9 + GnuTLS fails with wildcard certificate, OpenSSL works correctly

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#5515) v2.4.9 + GnuTLS fails with wildcard certificate, OpenSSL works correctly
From: bpgoldsb@gleim.com
Date: Sun, 18 May 2008 17:29:19 GMT

We're using *.domain.tld in the CN and subjectAltName:DNS:*.domain.tld

This may be a GnuTLS issue, as I am able to reproduce it with the GnuTLS
server/client testing tools.

On Sat, 2008-05-17 at 23:23 -0700, Howard Chu wrote:
> bgoldsbury@gleim.com wrote:
> > Full_Name: Ben Goldsbury
> > Version: 2.4.9
> > OS: Debian
> > URL: ftp://ftp.openldap.org/incoming/
> > Submission from: (NULL) (209.208.68.2)
> >
> >
> > When OpenLDAP 2.4.9 is compiled against GnuTLS (version 2.2.1 in my testing) and
> > using a valid Wildcard SSL certificate, TLS connections to OpenLDAP fail with:
> >
> > TLS certificate verification: Error, unable to get local issuer certificate
> >
> > When OpenLDAP 2.4.9 is compiled against OpenSSL (version 0.9.8c in my testing)
> > and using the same certificate, connections work properly.
> >
> > Please contact me if you need any additional information.
> 
> This sounds an awful lot like ITS#5361, which is a known defect in GnuTLS.
> 
> What exactly do you mean by "Wildcard SSL certificate" ? There are a couple 
> different approaches to that. One uses the subjectAltName extension, and that 
> is the officially sanctioned approach. One uses "*" in the certificate CN, and 
> that is non-standard and generally not supposed to work.

Prev by Date: Re: (ITS#5513) back-ldap+ppolicy bind assertion failure
Next by Date: (ITS#5517) add superclass of existing class fails
Index(es):
- Chronological
- Thread