[openssl-users] Failed to access LDAP server when a valid certificate is at <hash>.1+

Misaki Miyashita misaki.miyashita at oracle.com
Wed Oct 25 14:31:51 UTC 2017

Thanks for the reply, Viktor.

Is it possible to keep searching for a valid certificate if the first 
matching certificate was not valid?
Our customer claims that the NSS Mozilla didn't have this issue, so this 
is considered a regression for us.

Best Regards,

-- misaki

On 10/21/2017 3:21 PM, Viktor Dukhovni wrote:
> On Oct 21, 2017, at 11:20 AM, Misaki Miyashita <misaki.miyashita at oracle.com> wrote:
>> We encountered a problem using OpenLDAP with OpenSSL when there were more than one certificate with the same subject.
>> Does OpenSSL stop searching for a valid certificate when it finds a certificate with matching DN?
> Yes, when a matching issuer is found in the trust store, but is expired
> no alternative certificates will be tested.  You need to remove outdated
> issuer certificates from your trust store before they expire.

More information about the openssl-users mailing list