New subject: [Issue 9654] Allow using both Elliptic curves and RSA certificate

27 Aug 2021


      https://bugs.openldap.org/show_bug.cgi?id=9654
Issue ID: 9654
           Summary: Allow using both Elliptic curves and RSA certificate
           Product: OpenLDAP
           Version: 2.5.4
          Hardware: All
                OS: All
            Status: UNCONFIRMED
          Severity: normal
          Priority: ---
         Component: slapd
          Assignee: bugs@openldap.org
          Reporter: dpa-openldap@aegee.org
  Target Milestone: ---
sendmail and Cyrus IMAP allow to set two TLS server certificates -one RSA and
EC.  When the client supports Elliptic curves, the smaller EC certificate is
used.  Likewise it accepts two private keys, in case the private key is not
included in the certificate file.  In sendmail and Cyrus IMAP, two certificates
are set in the same directive, separated with comma:
define(`confSERVER_CERT', `/etc/zzz/fullchain.pem,/etc/zzz/fullchain_ec.pem')
define(`confSERVER_KEY', `/etc/zzz/privkey.pem,/etc/zzz/privkey_ec.pem')
In Cyrus IMAP the code dealing with this for OpenSSL is at
https://github.com/cyrusimap/cyrus-imapd/blob/master/imap/tls.c#L453 : cf1/kf1
is the fist public/private key, cf2/kf2 are the second.
In sendmail the code is in sendmail/tls.c:inittls() - it calls
SSL_CTX_use_PrivateKey_file twice - once with keyfile and once with kf2
(keyfile 2).
• Extend OpenLDAP to accept several certificates (RSA/EC) - either per
permitting several (comma separated) values in
olcTLSCertificateFile/olcTLSCertificateKeyFile , or by allowing several
occurrences of the property.
-- 
You are receiving this mail because:
You are on the CC list for the issue.

[Issue 9654] New: Allow using both Elliptic curves and RSA certificate