[Date Prev][Date Next]
Re: (ITS#5515) v2.4.9 + GnuTLS fails with wildcard certificate, OpenSSL works correctly
> Full_Name: Ben Goldsbury
> Version: 2.4.9
> OS: Debian
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (18.104.22.168)
> When OpenLDAP 2.4.9 is compiled against GnuTLS (version 2.2.1 in my testing) and
> using a valid Wildcard SSL certificate, TLS connections to OpenLDAP fail with:
> TLS certificate verification: Error, unable to get local issuer certificate
> When OpenLDAP 2.4.9 is compiled against OpenSSL (version 0.9.8c in my testing)
> and using the same certificate, connections work properly.
> Please contact me if you need any additional information.
This sounds an awful lot like ITS#5361, which is a known defect in GnuTLS.
What exactly do you mean by "Wildcard SSL certificate" ? There are a couple
different approaches to that. One uses the subjectAltName extension, and that
is the officially sanctioned approach. One uses "*" in the certificate CN, and
that is non-standard and generally not supposed to work.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/