[gnutls-help] openldap+gnutls - unable to get TLS client DN

[Pascal Fautrero]

Hi,

I try to understand a situation encountered by several openldap users on 
the net. I use openldap package built for debian (compiled with gnutls, 
that's why I submit this post).

When a consumer openldap tries to connect to a provider openldap using 
TLS, the provider displays the following message :

"unable to get TLS client DN"

Connection is ok if we set (on the server) TLSVerifyClient to never or 
allow. But just for fun, I wan't to manage with such a message. And I 
must admit it is quite difficult to understand for me. Help or hints 
would be appreciated :)

I found that "unable to get TLS client DN" is displayed because 
gnutls_certificate_get_peers sends back an empty raw_certificate_list.
Thus, I tried to study the gnutls_handshake procedure to understand why 
such a list is empty.

On the server side, I found that _gnutls_proc_x509_server_certificate 
sends back GNUTLS_E_NO_CERTIFICATE_FOUND.
If I look at _gnutls_handshake_server, when openldap slave tries to 
connect to openldap master, only STATE0, STATE6 and STATE7 are executed. 
Is it a normal situation ?

On the client side, If I look at _gnutls_handshake_client, during the 
same handshake, only STATE0 is executed. More, gnutls_handshake function 
is executed only once. STATE7, responsible of sending client certificate 
is never executed. Is it a normal situation to see a TLS handshake with 
so few STATE executed ? STATE2 and STATE3 shouldn't be catched ?

Thanks in advance

Regards,

Pascal Fautrero
CRDP de l'académie de Versailles