[Pkg-openldap-devel] Bug#517188: libldap-2.4-2: Only the first certificate in TLS_CACERT is used to verify the server certificate

[Rik Theys]

Package: libldap-2.4-2
Version: 2.4.11-1
Severity: normal

Openldap in Lenny is linked against GNUtls instead of openssl. GNUtls doesn't support the
TLS_CACERTDIR configuration option, so we have to use TLS_CACERT to specify a file with
trusted CA certificates.

According to the ldap.conf (5) man page, the TLS_CACERT file can contain all CA certificates
that should be trusted.

I've concatenated two CA certificates into one file and specified this file in ldap.conf.

I have two servers with certificates signed by different CA's. Server1 is signed by CA1 and
server2 is signed by CA2.

When I put CA1 at the top of the bundle file, I can connect to server1 but not server2 as the
certificate is not trusted. If I put CA2 at the top, I can connect to server2 but not server1.

When I use openssl s_client with the CA bundle, I can connect to both servers.

Is this the expected behaviour? Doesn't GNUtls support more than one certificate in the TLS_CACERT
file? If so, this is a serious PITA as it makes migration from ca1 to ca2 much harder.

Regards,

Rik


-- System Information:
Debian Release: 5.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libldap-2.4-2 depends on:
ii  libc6                    2.7-18          GNU C Library: Shared libraries
ii  libgnutls26              2.4.2-4         the GNU TLS library - runtime libr
ii  libsasl2-2               2.1.22.dfsg1-23 Cyrus SASL - authentication abstra

libldap-2.4-2 recommends no packages.

libldap-2.4-2 suggests no packages.

-- no debconf information

Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm