ITS#8586 load cert+chain from TLSCertificateFile

For OpenSSL

diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5
index e8c536e80653e9810abf69fb0f619bcf7118d8eb..c2ffb937367ece36896c89227a2319b95dcec4ab 100644 (file)
--- a/doc/man/man5/slapd.conf.5
+++ b/doc/man/man5/slapd.conf.5
@@ -1148,7 +1148,7 @@ Specifies the file that contains certificates for all of the Certificate
 Authorities that
 .B slapd
 will recognize.  The certificate for
-the CA that signed the server certificate must be included among
+the CA that signed the server certificate must(GnuTLS)/may(OpenSSL) be included among
 these certificates. If the signing CA was not a top-level (root) CA,
 certificates for the entire sequence of CA's from the signing CA to
 the top-level CA should be present. Multiple certificates are simply
@@ -1164,6 +1164,9 @@ locations will be used.
 Specifies the file that contains the
 .B slapd
 server certificate.
+
+When using OpenSSL that file may also contain any number or intermediate
+certificates.
 .TP
 .B TLSCertificateKeyFile <filename>
 Specifies the file that contains the

diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
index bbf1f9156eb40f5126ecc3c16b4bdfda89a099c2..b89c2c70560762057883a097d7d754d0c2f1ae55 100644 (file)
--- a/libraries/libldap/tls_o.c
+++ b/libraries/libldap/tls_o.c
@@ -465,8 +465,7 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
                X509_free( cert );
        } else
        if ( lo->ldo_tls_certfile &&
-               !SSL_CTX_use_certificate_file( ctx,
-                       lt->lt_certfile, SSL_FILETYPE_PEM ) )
+               !SSL_CTX_use_certificate_chain_file( ctx, lt->lt_certfile) )
        {
                Debug1( LDAP_DEBUG_ANY,
                        "TLS: could not use certificate file `%s'.\n",