[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS CA Chain Problem

To: openldap-technical@openldap.org
Subject: Re: TLS CA Chain Problem
From: Iruwen <iruwen@gmx.net>
Date: Tue, 13 Oct 2009 14:05:10 +0200
In-reply-to: <e021c7c00910130347u68d6483anec70d4d670237884@mail.gmail.com>
References: <4AD328DE.1040704@gmx.net> <17C06D5B-A317-433D-8DD5-933F21E4CD72@gmail.com> <4AD428A8.2050904@gmx.net> <e021c7c00910130347u68d6483anec70d4d670237884@mail.gmail.com>
User-agent: Thunderbird 2.0.0.23 (Windows/20090812)

Brett @Google schrieb:

Have a look at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=517188
Openldap in Lenny is linked against GNUtls instead of openssl. GNUtls doesn't support the

TLS_CACERTDIR configuration option, so we have to use TLS_CACERT to specify a file with
trusted CA certificates.

GNUtls is not the same as openssl, if you are affected by this bugthen it will only load the first cert.


Cheers
Brett

I just noticed that I can remove the CA related directives and copy allerequired intermediate certificates and the root certificate directlyinto the key file to build the trust chain. Problem solved.

Thanks for pushing my research into the right direction!

References:
- TLS CA Chain Problem
  - From: Iruwen <iruwen@gmx.net>
- Re: TLS CA Chain Problem
  - From: Iruwen <iruwen@gmx.net>

Prev by Date: Re: TLS CA Chain Problem
Next by Date: Re: OpenLDAP Scaling
Index(es):
- Chronological
- Thread