[gnutls-help] openldap+gnutls - unable to get TLS client DN

[Nikos Mavrogiannopoulos]

On Fri, Jul 19, 2013 at 2:20 PM, Pascal Fautrero
<pascal.fautrero at crdp.ac-versailles.fr> wrote:
> Hi,
> I try to understand a situation encountered by several openldap users on the
> net. I use openldap package built for debian (compiled with gnutls, that's
> why I submit this post).
> When a consumer openldap tries to connect to a provider openldap using TLS,
> the provider displays the following message :
> "unable to get TLS client DN"
> Connection is ok if we set (on the server) TLSVerifyClient to never or
> allow. But just for fun, I wan't to manage with such a message. And I must
> admit it is quite difficult to understand for me. Help or hints would be
> appreciated :)

As far as I understand from your description the client never sent a
certificate even if you have configured it to send one. Is that
correct?

> On the client side, If I look at _gnutls_handshake_client, during the same
> handshake, only STATE0 is executed. More, gnutls_handshake function is
> executed only once. STATE7, responsible of sending client certificate is
> never executed. Is it a normal situation to see a TLS handshake with so few
> STATE executed ? STATE2 and STATE3 shouldn't be catched ?

So I assume that there is a certificate configured. In that case is
the authority of the certificate trusted by the server? In TLS, the
server sends to the client its trusted authorities and the client
replies with a certificate from that list. If its certificate is not
from this trusted list gnutls will not send any (different versions
may have different behavior - which one do you try with?). You can
check the actual conversation using wireshark, and see in the server's
certificate request message the list of trusted authorities. If you
see no certificate request message from the server, it means that the
server is configured not to request a certificate from the client.

regards,
Nikos