[Date Prev][Date Next] [Chronological] [Thread] [Top]

OpenLDAP does not allow to send certificate chains (ITS#3159)



Full_Name: Arne Brutschy
Version: 2.2.11
OS: Linux 2.6.4
URL: http://projects.nuschkys.net/patches/openldap-2.6.11-use_chain_certificates.patch.gz
Submission from: (NULL) (139.18.1.5)


OpenLDAP does not allow to send certificate chains, which allows to send more
than one certificate in the tls response. 

Here is a very simple patch to allow this:

diff -urN openldap-2.2.11-orig/libraries/libldap/tls.c
openldap-2.2.11/libraries/libldap/tls.c
--- openldap-2.2.11-orig/libraries/libldap/tls.c        2004-01-01
19:16:30.000000000 +0100
+++ openldap-2.2.11/libraries/libldap/tls.c     2004-05-26 10:46:10.708020320
+0200
@@ -325,8 +325,8 @@
                }

                if ( tls_opt_certfile &&
-                       !SSL_CTX_use_certificate_file( tls_def_ctx,
-                               certfile, SSL_FILETYPE_PEM ) )
+                       !SSL_CTX_use_certificate_chain_file( tls_def_ctx,
+                               certfile ) )
                {
 #ifdef NEW_LOGGING
                        LDAP_LOG ( TRANSPORT, ERR, "ldap_pvt_tls_init_def_ctx:
"