https://bugs.openldap.org/show_bug.cgi?id=9654
Issue ID: 9654
Summary: Allow using both Elliptic curves and RSA certificate
Product: OpenLDAP
Version: 2.5.4
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: ---
Component: slapd
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
sendmail and Cyrus IMAP allow to set two TLS server certificates -one RSA and
EC. When the client supports Elliptic curves, the smaller EC certificate is
used. Likewise it accepts two private keys, in case the private key is not
included in the certificate file. In sendmail and Cyrus IMAP, two certificates
are set in the same directive, separated with comma:
define(`confSERVER_CERT', `/etc/zzz/fullchain.pem,/etc/zzz/fullchain_ec.pem')
define(`confSERVER_KEY', `/etc/zzz/privkey.pem,/etc/zzz/privkey_ec.pem')
In Cyrus IMAP the code dealing with this for OpenSSL is at
https://github.com/cyrusimap/cyrus-imapd/blob/master/imap/tls.c#L453 : cf1/kf1
is the fist public/private key, cf2/kf2 are the second.
In sendmail the code is in sendmail/tls.c:inittls() - it calls
SSL_CTX_use_PrivateKey_file twice - once with keyfile and once with kf2
(keyfile 2).
• Extend OpenLDAP to accept several certificates (RSA/EC) - either per
permitting several (comma separated) values in
olcTLSCertificateFile/olcTLSCertificateKeyFile , or by allowing several
occurrences of the property.
--
You are receiving this mail because:
You are on the CC list for the issue.
