[openssl-users] Failed to access LDAP server when a valid certificate is at <hash>.1+

Misaki Miyashita misaki.miyashita at oracle.com
Sat Oct 21 15:20:33 UTC 2017


We encountered a problem using OpenLDAP with OpenSSL when there were 
more than one certificate with the same subject.

In our test setup, there were three self-signed certificates with the 
same subject, two of which were expired and one was valid.
When the valid certificate is at <hash>.0, things work fine.

However, when an invalid certificate is at <hash>.0, it fails to connect 
to the LDAP server even if the valid certificate is available at 
<hash>.1 or <hash>.2.

# openldapsearch -H <server>:636  -x -b ""  -s base objectclass=\* 
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

The trace of the process shows that all 3 certificates were opened but 
X509_verify_cert() returns 0 when an invalid certificate is at <hash>.0.

Does OpenSSL stop searching for a valid certificate when it finds a 
certificate with matching DN?

Thank you,

-- misaki

More information about the openssl-users mailing list