[openssl-users] Failed to access LDAP server when a valid certificate is at <hash>.1+
misaki.miyashita at oracle.com
Sat Oct 21 15:20:33 UTC 2017
We encountered a problem using OpenLDAP with OpenSSL when there were
more than one certificate with the same subject.
In our test setup, there were three self-signed certificates with the
same subject, two of which were expired and one was valid.
When the valid certificate is at <hash>.0, things work fine.
However, when an invalid certificate is at <hash>.0, it fails to connect
to the LDAP server even if the valid certificate is available at
<hash>.1 or <hash>.2.
# openldapsearch -H <server>:636 -x -b "" -s base objectclass=\*
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
The trace of the process shows that all 3 certificates were opened but
X509_verify_cert() returns 0 when an invalid certificate is at <hash>.0.
Does OpenSSL stop searching for a valid certificate when it finds a
certificate with matching DN?
More information about the openssl-users