Hi,

We encountered a problem using OpenLDAP with OpenSSL when there were more than one certificate with the same subject.

In our test setup, there were three self-signed certificates with the same subject, two of which were expired and one was valid.
When the valid certificate is at <hash>.0, things work fine.

However, when an invalid certificate is at <hash>.0, it fails to connect to the LDAP server even if the valid certificate is available at <hash>.1 or <hash>.2.

# openldapsearch -H <server>:636 -x -b "" -s base objectclass=\* namingcontexts
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

The trace of the process shows that all 3 certificates were opened but X509_verify_cert() returns 0 when an invalid certificate is at <hash>.0.

Does OpenSSL stop searching for a valid certificate when it finds a certificate with matching DN?

Thank you,

-- misaki
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Reply via email to