From: Andreas Schulze <sca@andreasschulze.de>
Date: Sat, 11 Feb 2017 19:26:59 +0000 (+0000)
Subject: ITS#8586 load cert+chain from TLSCertificateFile
X-Git-Tag: OPENLDAP_REL_ENG_2_5_4~7^2~17
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=680091b5b4dd38e674533ac5ce04da4e446d6439;p=thirdparty%2Fopenldap.git

ITS#8586 load cert+chain from TLSCertificateFile

For OpenSSL
---

diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5
index e8c536e806..c2ffb93736 100644
--- a/doc/man/man5/slapd.conf.5
+++ b/doc/man/man5/slapd.conf.5
@@ -1148,7 +1148,7 @@ Specifies the file that contains certificates for all of the Certificate
 Authorities that
 .B slapd
 will recognize.  The certificate for
-the CA that signed the server certificate must be included among
+the CA that signed the server certificate must(GnuTLS)/may(OpenSSL) be included among
 these certificates. If the signing CA was not a top-level (root) CA,
 certificates for the entire sequence of CA's from the signing CA to
 the top-level CA should be present. Multiple certificates are simply
@@ -1164,6 +1164,9 @@ locations will be used.
 Specifies the file that contains the
 .B slapd
 server certificate.
+
+When using OpenSSL that file may also contain any number or intermediate
+certificates.
 .TP
 .B TLSCertificateKeyFile <filename>
 Specifies the file that contains the
diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
index bbf1f9156e..b89c2c7056 100644
--- a/libraries/libldap/tls_o.c
+++ b/libraries/libldap/tls_o.c
@@ -465,8 +465,7 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
 		X509_free( cert );
 	} else
 	if ( lo->ldo_tls_certfile &&
-		!SSL_CTX_use_certificate_file( ctx,
-			lt->lt_certfile, SSL_FILETYPE_PEM ) )
+		!SSL_CTX_use_certificate_chain_file( ctx, lt->lt_certfile) )
 	{
 		Debug1( LDAP_DEBUG_ANY,
 			"TLS: could not use certificate file `%s'.\n",