[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6192) OpenLDAP doesn't support SHA-256 signed certificates

sjv@genoscope.cns.fr wrote:
> Full_Name: Simon Vallet
> Version: 2.4.16
> OS: Linux
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (
> Hi,
> trying to use SHA-256 signed certificates for SSL connections to an OpenLDAP
> server leads to the following OpenSSL error messages :
> TLS certificate verification: Error, certificate signature failure
> tls_write: want=7, written=7
>    0000:  15 03 01 00 02 02 33                               ......3
> TLS trace: SSL3 alert write:fatal:decrypt error
> TLS trace: SSL_connect:error in SSLv3 read server certificate B
> TLS trace: SSL_connect:error in SSLv3 read server certificate B
> TLS: can't connect: error:0D0C50A1:asn1 encoding
> routines:ASN1_item_verify:unknown message digest algorithm.
> This is due to OpenLDAP not explicitly enabling SHA-2 ciphers after calling
> SSLeay_add_ssl_algorithms(), which only enables some digest algorithms.
> As SHA-256 is becoming more common and as it is, in fact, mandated by TLS 1.2, I
> think OpenLDAP should support it.
> For a similar problem, you might want to take a look at
> http://bugs.exim.org/show_bug.cgi?id=674

Thanks for the report. I've chosen to call OpenSSL_add_all_digests() in our 
init. Note that this has no impact on the actual TLS protocol handshake, since 
OpenSSL still only supports TLSv1.0.

   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/