[gnutls-help] openldap+gnutls - unable to get TLS client DN
pascal.fautrero at crdp.ac-versailles.fr
Fri Jul 19 14:20:09 CEST 2013
I try to understand a situation encountered by several openldap users on
the net. I use openldap package built for debian (compiled with gnutls,
that's why I submit this post).
When a consumer openldap tries to connect to a provider openldap using
TLS, the provider displays the following message :
"unable to get TLS client DN"
Connection is ok if we set (on the server) TLSVerifyClient to never or
allow. But just for fun, I wan't to manage with such a message. And I
must admit it is quite difficult to understand for me. Help or hints
would be appreciated :)
I found that "unable to get TLS client DN" is displayed because
gnutls_certificate_get_peers sends back an empty raw_certificate_list.
Thus, I tried to study the gnutls_handshake procedure to understand why
such a list is empty.
On the server side, I found that _gnutls_proc_x509_server_certificate
sends back GNUTLS_E_NO_CERTIFICATE_FOUND.
If I look at _gnutls_handshake_server, when openldap slave tries to
connect to openldap master, only STATE0, STATE6 and STATE7 are executed.
Is it a normal situation ?
On the client side, If I look at _gnutls_handshake_client, during the
same handshake, only STATE0 is executed. More, gnutls_handshake function
is executed only once. STATE7, responsible of sending client certificate
is never executed. Is it a normal situation to see a TLS handshake with
so few STATE executed ? STATE2 and STATE3 shouldn't be catched ?
Thanks in advance
CRDP de l'académie de Versailles
More information about the Gnutls-help