https://bugs.openldap.org/show_bug.cgi?id=9195
Bug ID: 9195 Summary: Poor error messaging for TLS connect/accept with GnuTLS Product: OpenLDAP Version: 2.4.49 Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: libraries Assignee: bugs@openldap.org Reporter: ryan@openldap.org Target Milestone: ---
When doing something like:
./clients/tools/ldapsearch -H ldap://171.67.218.153 -ZZ -x
With OpenSSL we get:
ldap_start_tls: Connect error (-11) additional info: TLS: hostname does not match CN in peer certificate
With GnuTLS we just get:
ldap_start_tls: Connect error (-11) additional info: (unknown error code)
We can do better. My thoughts right now are:
1. stash the verify status in the session; 2. return a specific value to indicate verify failed; 3. have tlsg_session_errmsg recognize that value and print the detailed verification status.
GnuTLS 3.5 added GNUTLS_E_CERTIFICATE_VERIFICATION_ERROR, but I don't think it's worth bumping our required version for that alone. For the time being (i.e. 2.5) I'd like to keep 3.3 and maybe even 3.2 supported...
https://bugs.openldap.org/show_bug.cgi?id=9195
Ryan Tandy ryan@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|Poor error messaging for |Poor error messaging GnuTLS |TLS connect/accept with |cert verification failure |GnuTLS |
https://bugs.openldap.org/show_bug.cgi?id=9195
Ryan Tandy ryan@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|Poor error messaging GnuTLS |Poor error messaging for |cert verification failure |GnuTLS cert verification | |failure
-
openldap-its@openldap.org