Failed to access LDAP server when a valid certificate is at <hash>.1+

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Failed to access LDAP server when a valid certificate is at <hash>.1+

Misaki Miyashita
Hi,

We encountered a problem using OpenLDAP with OpenSSL when there were
more than one certificate with the same subject.

In our test setup, there were three self-signed certificates with the
same subject, two of which were expired and one was valid.
When the valid certificate is at <hash>.0, things work fine.

However, when an invalid certificate is at <hash>.0, it fails to connect
to the LDAP server even if the valid certificate is available at
<hash>.1 or <hash>.2.

# openldapsearch -H <server>:636  -x -b ""  -s base objectclass=\*
namingcontexts
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

The trace of the process shows that all 3 certificates were opened but
X509_verify_cert() returns 0 when an invalid certificate is at <hash>.0.

Does OpenSSL stop searching for a valid certificate when it finds a
certificate with matching DN?

Thank you,

-- misaki
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Failed to access LDAP server when a valid certificate is at <hash>.1+

Viktor Dukhovni


On Oct 21, 2017, at 11:20 AM, Misaki Miyashita <[hidden email]> wrote:

> We encountered a problem using OpenLDAP with OpenSSL when there were more than one certificate with the same subject.
>
> Does OpenSSL stop searching for a valid certificate when it finds a certificate with matching DN?

Yes, when a matching issuer is found in the trust store, but is expired
no alternative certificates will be tested.  You need to remove outdated
issuer certificates from your trust store before they expire.

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Failed to access LDAP server when a valid certificate is at <hash>.1+

Misaki Miyashita
Thanks for the reply, Viktor.

Is it possible to keep searching for a valid certificate if the first
matching certificate was not valid?
Our customer claims that the NSS Mozilla didn't have this issue, so this
is considered a regression for us.

Best Regards,

-- misaki

On 10/21/2017 3:21 PM, Viktor Dukhovni wrote:

>
> On Oct 21, 2017, at 11:20 AM, Misaki Miyashita <[hidden email]> wrote:
>
>> We encountered a problem using OpenLDAP with OpenSSL when there were more than one certificate with the same subject.
>>
>> Does OpenSSL stop searching for a valid certificate when it finds a certificate with matching DN?
> Yes, when a matching issuer is found in the trust store, but is expired
> no alternative certificates will be tested.  You need to remove outdated
> issuer certificates from your trust store before they expire.
>

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users