[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#5991) slapd+gnutls doesn't send all of the CA certs available in the certficate chain while slapd+openssl does
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#5991) slapd+gnutls doesn't send all of the CA certs available in the certficate chain while slapd+openssl does
- From: hyc@symas.com
- Date: Thu, 5 Mar 2009 03:49:59 GMT
- Auto-submitted: auto-generated (OpenLDAP-ITS)
mathias.gug@canonical.com wrote:
> Full_Name: Mathias Gug
> Version: 2.4.15
> OS: Ubuntu Linux (Jaunty - 9.04)
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (64.56.226.136)
>
>
> slapd+gnutls doesn't send all the certificates in the chain while slapd+openssl
> does.
>
> openldap version: 2.4.15
> gnutls version: 2.4.2
> openssl version: 0.9.8g
>
> Here are two systems running slapd 2.4.15 - one compiled with gnutls
> (t-slapd-gnutls), the other with openssl (t-slapd-openssl).
This appears to be a logical disconnect between the GnuTLS and OpenSSL APIs;
the OpenLDAP docs were written for OpenSSL...
The way we use the OpenSSL library, it's assumed that only a single cert and
key are present in the configured certfile and keyfile, and all of the
relevant CAs for that cert are present in the CA file/path.
In the GnuTLS library, the library expects the entire cert chain to be present
in the certfile. I think it's clear from this message
http://groups.google.com/group/linux.debian.bugs.dist/msg/8fec96a62571d6e9
that this is a weakness in the GnuTLS API, one that prevents it from
distinguishing between CA certs and end-entity certs, and thus the reason the
whole V1 trust problem arose in the first place.
As an immediate workaround, you can simply copy the appropriate CA certs into
your server cert file. In the meantime it looks like we'll just have to use
gnutls_certificate_set_x509_key() to address this.
> mathiaz@t-slapd-gnutls:~$ gnutls-cli --x509cafile allca.pem --print-cert -p 636
> t-slapd-gnutls.
> Processed 2 CA certificate(s).
> Resolving 't-slapd-gnutls.'...
> Connecting to '172.19.42.87:636'...
> - Certificate type: X.509
> - Got a certificate list of 1 certificates.
>
> - Certificate[0] info:
>
> -----BEGIN CERTIFICATE-----
> MIICyTCCAjKgAwIBAgIBBTANBgkqhkiG9w0BAQUFADBIMQswCQYDVQQGEwJDQTEL
> MAkGA1UECBMCUUMxEDAOBgNVBAoTB01hdGhpYXoxGjAYBgNVBAMTEVRFU1QgQ0FW
> MSAtIEhBUkRZMB4XDTA5MDMwNDE5NTcxMVoXDTEwMDMwNDE5NTcxMVowRjELMAkG
> A1UEBhMCQ0ExCzAJBgNVBAgTAlFDMRAwDgYDVQQKEwdNYXRoaWF6MRgwFgYDVQQD
> Ew90LXNsYXBkLWdudXRscy4wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL5X
> ERAGYnqTCJae2FnEB1qT2Hk0sNiD1n+mnyhNDespomTINPLKpZZmqOSlD7x71zuy
> DQ/Z6uxgIxOhuUV9VVo2cISi9MmEOYn4qxGq2YIHyra5FJZf6O43qajicDaRRzGz
> UA17ap7vDqgig9T4qFvwCllz4EFlcTzxV+N99m1RAgMBAAGjgcQwgcEwCQYDVR0T
> BAIwADALBgNVHQ8EBAMCBaAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJh
> dGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBSii4L1Po9xGWrMD2oG8VeFuTQtfzBa
> BgNVHSMEUzBRoUykSjBIMQswCQYDVQQGEwJDQTELMAkGA1UECBMCUUMxEDAOBgNV
> BAoTB01hdGhpYXoxGjAYBgNVBAMTEVRFU1QgQ0FWMSAtIEhBUkRZggEAMA0GCSqG
> SIb3DQEBBQUAA4GBAEEQMsEc0VQOt1y8B22xfRewUmwMKk34J80aFkKuG/RQJoBw
> TSnlHpqyZFvmOu4JaCJAh6IdTdxfsuDB5vu/5kpNMc3jJX1Ale17l1MuxB6lvcKn
> zG3A17BIIZh3aoJcVQgDAQ8Vr/I9z8y51i1Qr37E5HF2GjuuyF+5BJz9lITq
> -----END CERTIFICATE-----
>
> # The hostname in the certificate matches 't-slapd-gnutls.'.
> # valid since: Wed Mar 4 14:57:11 EST 2009
> # expires at: Thu Mar 4 14:57:11 EST 2010
> # fingerprint: 72:5A:24:83:6C:5C:3F:0E:80:52:F1:61:CD:C3:0D:31
> # Subject's DN: C=CA,ST=QC,O=Mathiaz,CN=t-slapd-gnutls.
> # Issuer's DN: C=CA,ST=QC,O=Mathiaz,CN=TEST CAV1 - HARDY
>
>
> - Peer's certificate is trusted
> - Version: TLS1.1
> - Key Exchange: RSA
> - Cipher: AES-128-CBC
> - MAC: SHA1
> - Compression: NULL
> - Handshake was completed
>
> - Simple Client Mode:
>
> mathiaz@t-slapd-gnutls:~$ gnutls-cli --x509cafile allca.pem --print-cert -p 636
> t-slapd-openssl.
> Processed 2 CA certificate(s).
> Resolving 't-slapd-openssl.'...
> Connecting to '172.19.42.220:636'...
> - Certificate type: X.509
> - Got a certificate list of 2 certificates.
>
> - Certificate[0] info:
>
> -----BEGIN CERTIFICATE-----
> MIIB/jCCAWcCAQcwDQYJKoZIhvcNAQEFBQAwSDELMAkGA1UEBhMCQ0ExCzAJBgNV
> BAgTAlFDMRAwDgYDVQQKEwdNYXRoaWF6MRowGAYDVQQDExFURVNUIENBVjEgLSBI
> QVJEWTAeFw0wOTAzMDQyMDExMTRaFw0xMDAzMDQyMDExMTRaMEcxCzAJBgNVBAYT
> AkNBMQswCQYDVQQIEwJRQzEQMA4GA1UEChMHTWF0aGlhejEZMBcGA1UEAxMQdC1z
> bGFwZC1vcGVuc3NsLjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAzTEuHfVR
> ELoXxSyVTwWrfIIsoKqBfbZYJSGQcTTEtuvxABxX8AoKyc9T+AkhR4wsSmRZGOBz
> opH9u0LReaGyhWkUA/XaFF24jkSogi6yDsh478P/ayZjushPLh9LpIeW/2lD9xkh
> t5LGW255lXIMGI5+/x8EgiaU1pS5OO9wz/kCAwEAATANBgkqhkiG9w0BAQUFAAOB
> gQBlg/lIawsDYFqqNz61BNl2nix4LrIRFxiOA/p14VFkRyuCVHXDjhBtlb13wBZk
> wVTDfUdykvy2nlJq8bLQ7OYYdiA4h64HMnLTMyMALKBFiVwyrg/GvF7TsUg3K41K
> uFTF0H1bQOmqrJPcIu8r+h3gQLkCRvBLssZaQtA4M4jw4A==
> -----END CERTIFICATE-----
>
> # The hostname in the certificate matches 't-slapd-openssl.'.
> # valid since: Wed Mar 4 15:11:14 EST 2009
> # expires at: Thu Mar 4 15:11:14 EST 2010
> # fingerprint: 85:7F:06:0A:EC:3A:9E:6C:78:BC:FC:C3:8F:4D:4B:E9
> # Subject's DN: C=CA,ST=QC,O=Mathiaz,CN=t-slapd-openssl.
> # Issuer's DN: C=CA,ST=QC,O=Mathiaz,CN=TEST CAV1 - HARDY
>
> - Certificate[1] info:
>
> -----BEGIN CERTIFICATE-----
> MIIB/zCCAWgCAQAwDQYJKoZIhvcNAQEFBQAwSDELMAkGA1UEBhMCQ0ExCzAJBgNV
> BAgTAlFDMRAwDgYDVQQKEwdNYXRoaWF6MRowGAYDVQQDExFURVNUIENBVjEgLSBI
> QVJEWTAeFw0wOTAzMDMxODI1NTBaFw0xMjAzMDIxODI1NTBaMEgxCzAJBgNVBAYT
> AkNBMQswCQYDVQQIEwJRQzEQMA4GA1UEChMHTWF0aGlhejEaMBgGA1UEAxMRVEVT
> VCBDQVYxIC0gSEFSRFkwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMZSKqDg
> Y5rn4SgJUgnO0IAM2Us/5sQ18mu8gxoDeLkIcHHuiwYHeT4BcOit2hemmOCIEolh
> XPKkMD4MVAbafDFtJjhuEgPtWoUuZcOa9gRi3eH+h7QEYhhwnwLewrQGhx4tsfY4
> wR3LIUm/lxkJISy17v3uc5yNLcAlreUrrdJ1AgMBAAEwDQYJKoZIhvcNAQEFBQAD
> gYEAAsaBDAMUKofwOZPNNV/9EKglG7O3G5p/i9h8n5C3bXy6E6vWtVxqpWd5qBEt
> uMXU1vIIop7FrKornuPWtEy4jKSw12Sv9EXaUJ9rfXQTWh6GpgUmTjlZtOwjABT9
> fAU4M9MdLDTBaZA11NqtdMMPKTwTHXjmv9bKcgOLh1g5WhQ=
> -----END CERTIFICATE-----
>
> # valid since: Tue Mar 3 13:25:50 EST 2009
> # expires at: Fri Mar 2 13:25:50 EST 2012
> # fingerprint: 66:D2:B7:8E:03:DD:BF:24:4D:A1:D8:EA:8E:6F:8B:80
> # Subject's DN: C=CA,ST=QC,O=Mathiaz,CN=TEST CAV1 - HARDY
> # Issuer's DN: C=CA,ST=QC,O=Mathiaz,CN=TEST CAV1 - HARDY
>
>
> - Peer's certificate is trusted
> - Version: TLS1.0
> - Key Exchange: RSA
> - Cipher: AES-128-CBC
> - MAC: SHA1
> - Compression: NULL
> - Handshake was completed
>
> - Simple Client Mode:
>
> ^C
>
>
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/