Subject: Re: ldap client breaks after upgrade to wheezy Followup-For: Bug #683095 Package: libgnutls26 Version: 2.12.20-6
I just spent the last couple hours struggling with the same problem.
Upgraded a pam_ldap client machine from squeeze to wheezy, openldap
server is still running squeeze. Server certificate was issued by
CAcert.org.
With debug turned up on an ‘ldapsearch’, all I get is the following:
TLS: peer cert untrusted or revoked (0x102)
TLS: can't connect: (unknown error code).
That led me to bug #478883. Tests using the following command:
gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt \
-d 4711 -V -p 636 ldap.example.com
…works fine on squeeze (2.8), but fails on wheezy (2.12):
…|<3>| HSK[0x251f710]: CERTIFICATE was received [4753 bytes]
|<6>| BUF[REC][HD]: Read 4749 bytes of Data(22)
|<6>| BUF[HSK]: Peeked 214 bytes of Data
|<6>| BUF[HSK]: Emptied buffer
|<6>| BUF[HSK]: Inserted 4 bytes of Data
|<6>| BUF[HSK]: Inserted 4749 bytes of Data
|<2>| ASSERT: ext_signature.c:393
|<2>| ASSERT: ext_signature.c:393
|<2>| ASSERT: ext_signature.c:393
|<2>| ASSERT: mpi.c:609
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: verify.c:584
|<2>| ASSERT: gnutls_kx.c:705
|<2>| ASSERT: gnutls_handshake.c:2777
|<6>| BUF[HSK]: Cleared Data from buffer
*** Fatal error: Error in the certificate.
|<4>| REC: Sending Alert[2|42] - Certificate is bad
|<4>| REC[0x251f710]: Sending Packet[1] Alert(21) with length: 2
|<7>| WRITE: enqueued 7 bytes for 0x4. Total 7 bytes.
|<7>| WRITE FLUSH: 7 bytes in buffer.
|<7>| WRITE: wrote 7 bytes, 0 bytes left.
|<4>| REC[0x251f710]: Sent Packet[2] Alert(21) with length: 7
*** Handshake has failed
GnuTLS error: Error in the certificate.
|<6>| BUF[HSK]: Cleared Data from buffer
|<4>| REC[0x251f710]: Epoch #0 freed
|<4>| REC[0x251f710]: Epoch #1 freed
Processed 6 CA certificate(s).
Resolving 'ldap.example.com'...
Connecting to '2001:dead:beef:::636'...
*** Verifying server certificate failed...
I hadn't realized that CAcert had reissued their intermediate to change
fingerprint algorithm.
Thanks Daniel!
Manually replacing /usr/share/ca-certificates/cacert.org/cacert.org.crt
on the squeeze server with the wheezy version solved the LDAP failures.
Feels really dirty overwriting a file in /usr. Perhaps the
ca-certificates package in squeeze could use some maintenance
(squeeze-backports?) so that other users avoid this problem on wheezy
upgrade. Or maybe a NEWS.Debian entry in libgnutls26 hinting at the
breakage of the new gnutls validation code vs. older CAcert certificates
on remote squeeze servers?
-- System Information:
Debian Release: 7.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL
set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages libgnutls26 depends on:
ii libc6 2.13-38
ii libgcrypt11 1.5.0-5
ii libp11-kit0 0.12-3
ii libtasn1-3 2.13-2
ii multiarch-support 2.13-38
ii zlib1g 1:1.2.7.dfsg-13
libgnutls26 recommends no packages.
libgnutls26 suggests no packages.
-- no debconf information
--
Gerald Turner Email: gtur...@unzane.com JID: gtur...@unzane.com
GPG: 0xFA8CD6D5 21D9 B2E8 7FE7 F19E 5F7D 4D0C 3FA0 810F FA8C D6D5
pgpkeGKmWoB7Q.pgp
Description: PGP signature
