We're using *.domain.tld in the CN and subjectAltName:DNS:*.domain.tld This may be a GnuTLS issue, as I am able to reproduce it with the GnuTLS server/client testing tools.
On Sat, 2008-05-17 at 23:23 -0700, Howard Chu wrote: > [EMAIL PROTECTED] wrote: > > Full_Name: Ben Goldsbury > > Version: 2.4.9 > > OS: Debian > > URL: ftp://ftp.openldap.org/incoming/ > > Submission from: (NULL) (209.208.68.2) > > > > > > When OpenLDAP 2.4.9 is compiled against GnuTLS (version 2.2.1 in my > > testing) and > > using a valid Wildcard SSL certificate, TLS connections to OpenLDAP fail > > with: > > > > TLS certificate verification: Error, unable to get local issuer certificate > > > > When OpenLDAP 2.4.9 is compiled against OpenSSL (version 0.9.8c in my > > testing) > > and using the same certificate, connections work properly. > > > > Please contact me if you need any additional information. > > This sounds an awful lot like ITS#5361, which is a known defect in GnuTLS. > > What exactly do you mean by "Wildcard SSL certificate" ? There are a couple > different approaches to that. One uses the subjectAltName extension, and that > is the officially sanctioned approach. One uses "*" in the certificate CN, > and > that is non-standard and generally not supposed to work.
