[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: OpenLDAP does not allow to send certificate chains (ITS#3159)
Certificate chains are specified using the TLS_CACERT ldap.conf(5) directive
or the TLSCACertificateFile slapd.conf(5) directive. I see no reason to
change this behavior.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support
> -----Original Message-----
> From: owner-openldap-bugs@OpenLDAP.org
> [mailto:owner-openldap-bugs@OpenLDAP.org]On Behalf Of
mai01cvr@studserv.uni-leipzig.de
> Full_Name: Arne Brutschy
> Version: 2.2.11
> OS: Linux 2.6.4
> URL:
>
http://projects.nuschkys.net/patches/openldap-2.6.11-use_chain_certificates.p
atch.gz
Submission from: (NULL) (139.18.1.5)
OpenLDAP does not allow to send certificate chains, which allows to send more
than one certificate in the tls response.
Here is a very simple patch to allow this:
diff -urN openldap-2.2.11-orig/libraries/libldap/tls.c
openldap-2.2.11/libraries/libldap/tls.c
--- openldap-2.2.11-orig/libraries/libldap/tls.c 2004-01-01
19:16:30.000000000 +0100
+++ openldap-2.2.11/libraries/libldap/tls.c 2004-05-26 10:46:10.708020320
+0200
@@ -325,8 +325,8 @@
}
if ( tls_opt_certfile &&
- !SSL_CTX_use_certificate_file( tls_def_ctx,
- certfile, SSL_FILETYPE_PEM ) )
+ !SSL_CTX_use_certificate_chain_file( tls_def_ctx,
+ certfile ) )
{
#ifdef NEW_LOGGING
LDAP_LOG ( TRANSPORT, ERR,
"ldap_pvt_tls_init_def_ctx:
"