sjv@genoscope.cns.fr wrote:
Full_Name: Simon Vallet Version: 2.4.16 OS: Linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (195.83.221.39)
Hi,
trying to use SHA-256 signed certificates for SSL connections to an OpenLDAP server leads to the following OpenSSL error messages :
TLS certificate verification: Error, certificate signature failure tls_write: want=7, written=7 0000: 15 03 01 00 02 02 33 ......3 TLS trace: SSL3 alert write:fatal:decrypt error TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect: error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm.
This is due to OpenLDAP not explicitly enabling SHA-2 ciphers after calling SSLeay_add_ssl_algorithms(), which only enables some digest algorithms.
As SHA-256 is becoming more common and as it is, in fact, mandated by TLS 1.2, I think OpenLDAP should support it.
For a similar problem, you might want to take a look at http://bugs.exim.org/show_bug.cgi?id=674
Thanks for the report. I've chosen to call OpenSSL_add_all_digests() in our init. Note that this has no impact on the actual TLS protocol handshake, since OpenSSL still only supports TLSv1.0.