On Wed, Mar 04, 2009 at 07:49:38PM -0800, Howard Chu wrote:

mathias.gug@canonical.com wrote:

...

slapd+gnutls doesn't send all the certificates in the chain while slapd+openssl does.

openldap version: 2.4.15 gnutls version: 2.4.2 openssl version: 0.9.8g

Here are two systems running slapd 2.4.15 - one compiled with gnutls (t-slapd-gnutls), the other with openssl (t-slapd-openssl).

This appears to be a logical disconnect between the GnuTLS and OpenSSL APIs; the OpenLDAP docs were written for OpenSSL...

The way we use the OpenSSL library, it's assumed that only a single cert and key are present in the configured certfile and keyfile, and all of the relevant CAs for that cert are present in the CA file/path.

In the GnuTLS library, the library expects the entire cert chain to be present in the certfile. I think it's clear from this message http://groups.google.com/group/linux.debian.bugs.dist/msg/8fec96a62571d6e9 that this is a weakness in the GnuTLS API, one that prevents it from distinguishing between CA certs and end-entity certs, and thus the reason the whole V1 trust problem arose in the first place.

As an immediate workaround, you can simply copy the appropriate CA certs into your server cert file. In the meantime it looks like we'll just have to use gnutls_certificate_set_x509_key() to address this.

Thanks for the workaround. It works as expected. I haven't tested the patch applied to CVS and thus haven't included it in Ubuntu yet.