[Date Prev][Date Next]
Re: (ITS#5991) slapd+gnutls doesn't send all of the CA certs available in the certficate chain while slapd+openssl does
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#5991) slapd+gnutls doesn't send all of the CA certs available in the certficate chain while slapd+openssl does
- From: firstname.lastname@example.org
- Date: Fri, 6 Mar 2009 23:02:29 GMT
- Auto-submitted: auto-generated (OpenLDAP-ITS)
On Wed, Mar 04, 2009 at 07:49:38PM -0800, Howard Chu wrote:
> email@example.com wrote:
>> slapd+gnutls doesn't send all the certificates in the chain while slapd+openssl
>> openldap version: 2.4.15
>> gnutls version: 2.4.2
>> openssl version: 0.9.8g
>> Here are two systems running slapd 2.4.15 - one compiled with gnutls
>> (t-slapd-gnutls), the other with openssl (t-slapd-openssl).
> This appears to be a logical disconnect between the GnuTLS and OpenSSL
> APIs; the OpenLDAP docs were written for OpenSSL...
> The way we use the OpenSSL library, it's assumed that only a single cert
> and key are present in the configured certfile and keyfile, and all of
> the relevant CAs for that cert are present in the CA file/path.
> In the GnuTLS library, the library expects the entire cert chain to be
> present in the certfile. I think it's clear from this message
> that this is a weakness in the GnuTLS API, one that prevents it from
> distinguishing between CA certs and end-entity certs, and thus the reason
> the whole V1 trust problem arose in the first place.
> As an immediate workaround, you can simply copy the appropriate CA certs
> into your server cert file. In the meantime it looks like we'll just have
> to use gnutls_certificate_set_x509_key() to address this.
Thanks for the workaround. It works as expected. I haven't tested the
patch applied to CVS and thus haven't included it in Ubuntu yet.
Ubuntu Developer http://www.ubuntu.com