From 680091b5b4dd38e674533ac5ce04da4e446d6439 Mon Sep 17 00:00:00 2001 From: Andreas Schulze Date: Sat, 11 Feb 2017 19:26:59 +0000 Subject: [PATCH] ITS#8586 load cert+chain from TLSCertificateFile For OpenSSL --- doc/man/man5/slapd.conf.5 | 5 ++++- libraries/libldap/tls_o.c | 3 +-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5 index e8c536e806..c2ffb93736 100644 --- a/doc/man/man5/slapd.conf.5 +++ b/doc/man/man5/slapd.conf.5 @@ -1148,7 +1148,7 @@ Specifies the file that contains certificates for all of the Certificate Authorities that .B slapd will recognize. The certificate for -the CA that signed the server certificate must be included among +the CA that signed the server certificate must(GnuTLS)/may(OpenSSL) be included among these certificates. If the signing CA was not a top-level (root) CA, certificates for the entire sequence of CA's from the signing CA to the top-level CA should be present. Multiple certificates are simply @@ -1164,6 +1164,9 @@ locations will be used. Specifies the file that contains the .B slapd server certificate. + +When using OpenSSL that file may also contain any number or intermediate +certificates. .TP .B TLSCertificateKeyFile Specifies the file that contains the diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c index bbf1f9156e..b89c2c7056 100644 --- a/libraries/libldap/tls_o.c +++ b/libraries/libldap/tls_o.c @@ -465,8 +465,7 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) X509_free( cert ); } else if ( lo->ldo_tls_certfile && - !SSL_CTX_use_certificate_file( ctx, - lt->lt_certfile, SSL_FILETYPE_PEM ) ) + !SSL_CTX_use_certificate_chain_file( ctx, lt->lt_certfile) ) { Debug1( LDAP_DEBUG_ANY, "TLS: could not use certificate file `%s'.\n",