tags 514807 wontfix thanks Edward Allcutt <[email protected]> writes:
> Simon Josefsson wrote: >> Edward Allcutt <[email protected]> writes: >> >>> Package: libgnutls13 >>> Version: 1.4.4-3+etch3 >>> Severity: important >>> >>> After the upgrade all embedded uses of LDAP fail with connection errors. >>> On investigations these seem to be caused by certificate validation >>> problems. >>> >>> This was first noticed with nss_ldap. After enabling debugging, running >>> `getent group` produced error messages like: >>> TLS certificate verification: depth: 0, err: 130, subject: <snip DN/> >>> TLS certificate verification: Error, Unknown error >>> >>> Similar problems occur for pam_ldap and apache mod_authnz_ldap. >>> Strangely, gnutls-cli verifies the server certificate with no problems. >>> >>> The error was first seen in a STARTTLS only configuration. I have since >>> enabled ldaps to ease testing with gnutls-cli and confirmed it still >>> affects nss_ldap and apache switched to ldaps. >>> >>> The root (trusted) certificate of our cert chain is an x509v1 cert, however >>> I'd >>> expect gnutls-cli to complain if this were the issue. >> >> Please post output from 'gnutls-cli -p 663 your.ldap.server -d 4711 >> --print-cert' replacing your.ldap.server as appropriate. > Output of `gnutls-cli -p ldaps -d 4711 --print-cert > ldap-3.teamgleim.com >>out 2>&1` attached. > >> I suspect the problem is that you have a RSA-MD5 signature somewhere in >> the certificate chain. > Nope, already checked that... gnutls-cli does work after all. It's the > other modules linked to libgnutls that are failing. I believe the problem is that you have a V1 CA, which isn't permitted by default by libgnutls. The reason gnutls-cli doesn't complain is because it contains this code: /* there are some CAs that have a v1 certificate *%&@#*%& */ gnutls_certificate_set_verify_flags (xcred, GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT); I don't recommend doing the same in other applications, and we should probably remove it from gnutls-cli too. It may be useful to create a parameter in other tools to enable the flag on a per-case basis, though. For explanation of why V1 CA's are bad, see: http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3365 I'm tagging this as wontfix since this is the documented and intended behaviour. I am sorry you had to notice it through an upgrade -- however the reason for the upgrade was to close this hole. /Simon -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]

