[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5515) v2.4.9 + GnuTLS fails with wildcard certificate, OpenSSL works correctly

bgoldsbury@gleim.com wrote:
> Full_Name: Ben Goldsbury
> Version: 2.4.9
> OS: Debian
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (
> When OpenLDAP 2.4.9 is compiled against GnuTLS (version 2.2.1 in my testing) and
> using a valid Wildcard SSL certificate, TLS connections to OpenLDAP fail with:
> TLS certificate verification: Error, unable to get local issuer certificate
> When OpenLDAP 2.4.9 is compiled against OpenSSL (version 0.9.8c in my testing)
> and using the same certificate, connections work properly.
> Please contact me if you need any additional information.

This sounds an awful lot like ITS#5361, which is a known defect in GnuTLS.

What exactly do you mean by "Wildcard SSL certificate" ? There are a couple 
different approaches to that. One uses the subjectAltName extension, and that 
is the officially sanctioned approach. One uses "*" in the certificate CN, and 
that is non-standard and generally not supposed to work.
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/