[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: OpenLDAP does not allow to send certificate chains (ITS#3159)



Certificate chains are specified using the TLS_CACERT ldap.conf(5) directive
or the TLSCACertificateFile slapd.conf(5) directive. I see no reason to
change this behavior.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

> -----Original Message-----
> From: owner-openldap-bugs@OpenLDAP.org
> [mailto:owner-openldap-bugs@OpenLDAP.org]On Behalf Of
mai01cvr@studserv.uni-leipzig.de

> Full_Name: Arne Brutschy
> Version: 2.2.11
> OS: Linux 2.6.4
> URL:
>
http://projects.nuschkys.net/patches/openldap-2.6.11-use_chain_certificates.p
atch.gz
Submission from: (NULL) (139.18.1.5)


OpenLDAP does not allow to send certificate chains, which allows to send more
than one certificate in the tls response.

Here is a very simple patch to allow this:

diff -urN openldap-2.2.11-orig/libraries/libldap/tls.c
openldap-2.2.11/libraries/libldap/tls.c
--- openldap-2.2.11-orig/libraries/libldap/tls.c        2004-01-01
19:16:30.000000000 +0100
+++ openldap-2.2.11/libraries/libldap/tls.c     2004-05-26 10:46:10.708020320
+0200
@@ -325,8 +325,8 @@
                }

                if ( tls_opt_certfile &&
-                       !SSL_CTX_use_certificate_file( tls_def_ctx,
-                               certfile, SSL_FILETYPE_PEM ) )
+                       !SSL_CTX_use_certificate_chain_file( tls_def_ctx,
+                               certfile ) )
                {
 #ifdef NEW_LOGGING
                        LDAP_LOG ( TRANSPORT, ERR,
"ldap_pvt_tls_init_def_ctx:
"