[Date Prev][Date Next] [Chronological] [Thread] [Top]
Re: (ITS#5991) slapd+gnutls doesn't send all of the CA certs available in the certficate chain while slapd+openssl does

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#5991) slapd+gnutls doesn't send all of the CA certs available in the certficate chain while slapd+openssl does
From: hyc@symas.com
Date: Thu, 5 Mar 2009 03:49:59 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)
mathias.gug@canonical.com wrote:
> Full_Name: Mathias Gug
> Version: 2.4.15
> OS: Ubuntu Linux (Jaunty - 9.04)
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (64.56.226.136)
>
>
> slapd+gnutls doesn't send all the certificates in the chain while slapd+openssl
> does.
>
> openldap version: 2.4.15
> gnutls version: 2.4.2
> openssl version: 0.9.8g
>
> Here are two systems running slapd 2.4.15 - one compiled with gnutls
> (t-slapd-gnutls), the other with openssl (t-slapd-openssl).

This appears to be a logical disconnect between the GnuTLS and OpenSSL APIs; 
the OpenLDAP docs were written for OpenSSL...

The way we use the OpenSSL library, it's assumed that only a single cert and 
key are present in the configured certfile and keyfile, and all of the 
relevant CAs for that cert are present in the CA file/path.

In the GnuTLS library, the library expects the entire cert chain to be present 
in the certfile. I think it's clear from this message
http://groups.google.com/group/linux.debian.bugs.dist/msg/8fec96a62571d6e9
that this is a weakness in the GnuTLS API, one that prevents it from 
distinguishing between CA certs and end-entity certs, and thus the reason the 
whole V1 trust problem arose in the first place.

As an immediate workaround, you can simply copy the appropriate CA certs into 
your server cert file. In the meantime it looks like we'll just have to use 
gnutls_certificate_set_x509_key() to address this.

> mathiaz@t-slapd-gnutls:~$ gnutls-cli --x509cafile allca.pem --print-cert -p 636
> t-slapd-gnutls.
> Processed 2 CA certificate(s).
> Resolving 't-slapd-gnutls.'...
> Connecting to '172.19.42.87:636'...
> - Certificate type: X.509
>   - Got a certificate list of 1 certificates.
>
>   - Certificate[0] info:
>
> -----BEGIN CERTIFICATE-----
> MIICyTCCAjKgAwIBAgIBBTANBgkqhkiG9w0BAQUFADBIMQswCQYDVQQGEwJDQTEL
> MAkGA1UECBMCUUMxEDAOBgNVBAoTB01hdGhpYXoxGjAYBgNVBAMTEVRFU1QgQ0FW
> MSAtIEhBUkRZMB4XDTA5MDMwNDE5NTcxMVoXDTEwMDMwNDE5NTcxMVowRjELMAkG
> A1UEBhMCQ0ExCzAJBgNVBAgTAlFDMRAwDgYDVQQKEwdNYXRoaWF6MRgwFgYDVQQD
> Ew90LXNsYXBkLWdudXRscy4wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL5X
> ERAGYnqTCJae2FnEB1qT2Hk0sNiD1n+mnyhNDespomTINPLKpZZmqOSlD7x71zuy
> DQ/Z6uxgIxOhuUV9VVo2cISi9MmEOYn4qxGq2YIHyra5FJZf6O43qajicDaRRzGz
> UA17ap7vDqgig9T4qFvwCllz4EFlcTzxV+N99m1RAgMBAAGjgcQwgcEwCQYDVR0T
> BAIwADALBgNVHQ8EBAMCBaAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJh
> dGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBSii4L1Po9xGWrMD2oG8VeFuTQtfzBa
> BgNVHSMEUzBRoUykSjBIMQswCQYDVQQGEwJDQTELMAkGA1UECBMCUUMxEDAOBgNV
> BAoTB01hdGhpYXoxGjAYBgNVBAMTEVRFU1QgQ0FWMSAtIEhBUkRZggEAMA0GCSqG
> SIb3DQEBBQUAA4GBAEEQMsEc0VQOt1y8B22xfRewUmwMKk34J80aFkKuG/RQJoBw
> TSnlHpqyZFvmOu4JaCJAh6IdTdxfsuDB5vu/5kpNMc3jJX1Ale17l1MuxB6lvcKn
> zG3A17BIIZh3aoJcVQgDAQ8Vr/I9z8y51i1Qr37E5HF2GjuuyF+5BJz9lITq
> -----END CERTIFICATE-----
>
>   # The hostname in the certificate matches 't-slapd-gnutls.'.
>   # valid since: Wed Mar  4 14:57:11 EST 2009
>   # expires at: Thu Mar  4 14:57:11 EST 2010
>   # fingerprint: 72:5A:24:83:6C:5C:3F:0E:80:52:F1:61:CD:C3:0D:31
>   # Subject's DN: C=CA,ST=QC,O=Mathiaz,CN=t-slapd-gnutls.
>   # Issuer's DN: C=CA,ST=QC,O=Mathiaz,CN=TEST CAV1 - HARDY
>
>
> - Peer's certificate is trusted
> - Version: TLS1.1
> - Key Exchange: RSA
> - Cipher: AES-128-CBC
> - MAC: SHA1
> - Compression: NULL
> - Handshake was completed
>
> - Simple Client Mode:
>
> mathiaz@t-slapd-gnutls:~$ gnutls-cli --x509cafile allca.pem --print-cert -p 636
> t-slapd-openssl.
> Processed 2 CA certificate(s).
> Resolving 't-slapd-openssl.'...
> Connecting to '172.19.42.220:636'...
> - Certificate type: X.509
>   - Got a certificate list of 2 certificates.
>
>   - Certificate[0] info:
>
> -----BEGIN CERTIFICATE-----
> MIIB/jCCAWcCAQcwDQYJKoZIhvcNAQEFBQAwSDELMAkGA1UEBhMCQ0ExCzAJBgNV
> BAgTAlFDMRAwDgYDVQQKEwdNYXRoaWF6MRowGAYDVQQDExFURVNUIENBVjEgLSBI
> QVJEWTAeFw0wOTAzMDQyMDExMTRaFw0xMDAzMDQyMDExMTRaMEcxCzAJBgNVBAYT
> AkNBMQswCQYDVQQIEwJRQzEQMA4GA1UEChMHTWF0aGlhejEZMBcGA1UEAxMQdC1z
> bGFwZC1vcGVuc3NsLjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAzTEuHfVR
> ELoXxSyVTwWrfIIsoKqBfbZYJSGQcTTEtuvxABxX8AoKyc9T+AkhR4wsSmRZGOBz
> opH9u0LReaGyhWkUA/XaFF24jkSogi6yDsh478P/ayZjushPLh9LpIeW/2lD9xkh
> t5LGW255lXIMGI5+/x8EgiaU1pS5OO9wz/kCAwEAATANBgkqhkiG9w0BAQUFAAOB
> gQBlg/lIawsDYFqqNz61BNl2nix4LrIRFxiOA/p14VFkRyuCVHXDjhBtlb13wBZk
> wVTDfUdykvy2nlJq8bLQ7OYYdiA4h64HMnLTMyMALKBFiVwyrg/GvF7TsUg3K41K
> uFTF0H1bQOmqrJPcIu8r+h3gQLkCRvBLssZaQtA4M4jw4A==
> -----END CERTIFICATE-----
>
>   # The hostname in the certificate matches 't-slapd-openssl.'.
>   # valid since: Wed Mar  4 15:11:14 EST 2009
>   # expires at: Thu Mar  4 15:11:14 EST 2010
>   # fingerprint: 85:7F:06:0A:EC:3A:9E:6C:78:BC:FC:C3:8F:4D:4B:E9
>   # Subject's DN: C=CA,ST=QC,O=Mathiaz,CN=t-slapd-openssl.
>   # Issuer's DN: C=CA,ST=QC,O=Mathiaz,CN=TEST CAV1 - HARDY
>
>   - Certificate[1] info:
>
> -----BEGIN CERTIFICATE-----
> MIIB/zCCAWgCAQAwDQYJKoZIhvcNAQEFBQAwSDELMAkGA1UEBhMCQ0ExCzAJBgNV
> BAgTAlFDMRAwDgYDVQQKEwdNYXRoaWF6MRowGAYDVQQDExFURVNUIENBVjEgLSBI
> QVJEWTAeFw0wOTAzMDMxODI1NTBaFw0xMjAzMDIxODI1NTBaMEgxCzAJBgNVBAYT
> AkNBMQswCQYDVQQIEwJRQzEQMA4GA1UEChMHTWF0aGlhejEaMBgGA1UEAxMRVEVT
> VCBDQVYxIC0gSEFSRFkwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMZSKqDg
> Y5rn4SgJUgnO0IAM2Us/5sQ18mu8gxoDeLkIcHHuiwYHeT4BcOit2hemmOCIEolh
> XPKkMD4MVAbafDFtJjhuEgPtWoUuZcOa9gRi3eH+h7QEYhhwnwLewrQGhx4tsfY4
> wR3LIUm/lxkJISy17v3uc5yNLcAlreUrrdJ1AgMBAAEwDQYJKoZIhvcNAQEFBQAD
> gYEAAsaBDAMUKofwOZPNNV/9EKglG7O3G5p/i9h8n5C3bXy6E6vWtVxqpWd5qBEt
> uMXU1vIIop7FrKornuPWtEy4jKSw12Sv9EXaUJ9rfXQTWh6GpgUmTjlZtOwjABT9
> fAU4M9MdLDTBaZA11NqtdMMPKTwTHXjmv9bKcgOLh1g5WhQ=
> -----END CERTIFICATE-----
>
>   # valid since: Tue Mar  3 13:25:50 EST 2009
>   # expires at: Fri Mar  2 13:25:50 EST 2012
>   # fingerprint: 66:D2:B7:8E:03:DD:BF:24:4D:A1:D8:EA:8E:6F:8B:80
>   # Subject's DN: C=CA,ST=QC,O=Mathiaz,CN=TEST CAV1 - HARDY
>   # Issuer's DN: C=CA,ST=QC,O=Mathiaz,CN=TEST CAV1 - HARDY
>
>
> - Peer's certificate is trusted
> - Version: TLS1.0
> - Key Exchange: RSA
> - Cipher: AES-128-CBC
> - MAC: SHA1
> - Compression: NULL
> - Handshake was completed
>
> - Simple Client Mode:
>
> ^C
>
>


-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/
Prev by Date: Re: (ITS#5998) jitterbug
Next by Date: Re: (ITS#5991) slapd+gnutls doesn't send all of the CA certs available in the certficate chain while slapd+openssl does
Index(es):
- Chronological
- Thread