[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#6192) OpenLDAP doesn't support SHA-256 signed certificates

To: openldap-its@OpenLDAP.org
Subject: (ITS#6192) OpenLDAP doesn't support SHA-256 signed certificates
From: sjv@genoscope.cns.fr
Date: Wed, 1 Jul 2009 15:52:07 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

Full_Name: Simon Vallet
Version: 2.4.16
OS: Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (195.83.221.39)


Hi,

trying to use SHA-256 signed certificates for SSL connections to an OpenLDAP
server leads to the following OpenSSL error messages :

TLS certificate verification: Error, certificate signature failure
tls_write: want=7, written=7
  0000:  15 03 01 00 02 02 33                               ......3           
TLS trace: SSL3 alert write:fatal:decrypt error
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect: error:0D0C50A1:asn1 encoding
routines:ASN1_item_verify:unknown message digest algorithm.

This is due to OpenLDAP not explicitly enabling SHA-2 ciphers after calling
SSLeay_add_ssl_algorithms(), which only enables some digest algorithms.

As SHA-256 is becoming more common and as it is, in fact, mandated by TLS 1.2, I
think OpenLDAP should support it.

For a similar problem, you might want to take a look at
http://bugs.exim.org/show_bug.cgi?id=674

Simon

Prev by Date: Re: (ITS#6191) test022-ppolicy failed (exit 21)
Next by Date: Re: (ITS#5836) hung writers
Index(es):
- Chronological
- Thread