[Date Prev][Date Next]
Re: (ITS#5515) v2.4.9 + GnuTLS fails with wildcard certificate, OpenSSL works correctly
We're using *.domain.tld in the CN and subjectAltName:DNS:*.domain.tld
This may be a GnuTLS issue, as I am able to reproduce it with the GnuTLS
server/client testing tools.
On Sat, 2008-05-17 at 23:23 -0700, Howard Chu wrote:
> firstname.lastname@example.org wrote:
> > Full_Name: Ben Goldsbury
> > Version: 2.4.9
> > OS: Debian
> > URL: ftp://ftp.openldap.org/incoming/
> > Submission from: (NULL) (184.108.40.206)
> > When OpenLDAP 2.4.9 is compiled against GnuTLS (version 2.2.1 in my testing) and
> > using a valid Wildcard SSL certificate, TLS connections to OpenLDAP fail with:
> > TLS certificate verification: Error, unable to get local issuer certificate
> > When OpenLDAP 2.4.9 is compiled against OpenSSL (version 0.9.8c in my testing)
> > and using the same certificate, connections work properly.
> > Please contact me if you need any additional information.
> This sounds an awful lot like ITS#5361, which is a known defect in GnuTLS.
> What exactly do you mean by "Wildcard SSL certificate" ? There are a couple
> different approaches to that. One uses the subjectAltName extension, and that
> is the officially sanctioned approach. One uses "*" in the certificate CN, and
> that is non-standard and generally not supposed to work.