[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5991) slapd+gnutls doesn't send all of the CA certs available in the certficate chain while slapd+openssl does

On Wed, Mar 04, 2009 at 07:49:38PM -0800, Howard Chu wrote:
> mathias.gug@canonical.com wrote:
>> slapd+gnutls doesn't send all the certificates in the chain while slapd+openssl
>> does.
>> openldap version: 2.4.15
>> gnutls version: 2.4.2
>> openssl version: 0.9.8g
>> Here are two systems running slapd 2.4.15 - one compiled with gnutls
>> (t-slapd-gnutls), the other with openssl (t-slapd-openssl).
> This appears to be a logical disconnect between the GnuTLS and OpenSSL 
> APIs; the OpenLDAP docs were written for OpenSSL...
> The way we use the OpenSSL library, it's assumed that only a single cert 
> and key are present in the configured certfile and keyfile, and all of 
> the relevant CAs for that cert are present in the CA file/path.
> In the GnuTLS library, the library expects the entire cert chain to be 
> present in the certfile. I think it's clear from this message
> http://groups.google.com/group/linux.debian.bugs.dist/msg/8fec96a62571d6e9
> that this is a weakness in the GnuTLS API, one that prevents it from  
> distinguishing between CA certs and end-entity certs, and thus the reason 
> the whole V1 trust problem arose in the first place.
> As an immediate workaround, you can simply copy the appropriate CA certs 
> into your server cert file. In the meantime it looks like we'll just have 
> to use gnutls_certificate_set_x509_key() to address this.

Thanks for the workaround. It works as expected. I haven't tested the
patch applied to CVS and thus haven't included it in Ubuntu yet.

Mathias Gug
Ubuntu Developer  http://www.ubuntu.com