[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#5991) slapd+gnutls doesn't send all of the CA certs available in the certficate chain while slapd+openssl does
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#5991) slapd+gnutls doesn't send all of the CA certs available in the certficate chain while slapd+openssl does
- From: mathiaz@ubuntu.com
- Date: Fri, 6 Mar 2009 23:02:29 GMT
- Auto-submitted: auto-generated (OpenLDAP-ITS)
On Wed, Mar 04, 2009 at 07:49:38PM -0800, Howard Chu wrote:
> mathias.gug@canonical.com wrote:
>> slapd+gnutls doesn't send all the certificates in the chain while slapd+openssl
>> does.
>>
>> openldap version: 2.4.15
>> gnutls version: 2.4.2
>> openssl version: 0.9.8g
>>
>> Here are two systems running slapd 2.4.15 - one compiled with gnutls
>> (t-slapd-gnutls), the other with openssl (t-slapd-openssl).
>
> This appears to be a logical disconnect between the GnuTLS and OpenSSL
> APIs; the OpenLDAP docs were written for OpenSSL...
>
> The way we use the OpenSSL library, it's assumed that only a single cert
> and key are present in the configured certfile and keyfile, and all of
> the relevant CAs for that cert are present in the CA file/path.
>
> In the GnuTLS library, the library expects the entire cert chain to be
> present in the certfile. I think it's clear from this message
> http://groups.google.com/group/linux.debian.bugs.dist/msg/8fec96a62571d6e9
> that this is a weakness in the GnuTLS API, one that prevents it from
> distinguishing between CA certs and end-entity certs, and thus the reason
> the whole V1 trust problem arose in the first place.
>
> As an immediate workaround, you can simply copy the appropriate CA certs
> into your server cert file. In the meantime it looks like we'll just have
> to use gnutls_certificate_set_x509_key() to address this.
Thanks for the workaround. It works as expected. I haven't tested the
patch applied to CVS and thus haven't included it in Ubuntu yet.
--
Mathias Gug
Ubuntu Developer http://www.ubuntu.com