Your message dated Sat, 31 Jan 2009 16:02:05 +0000
with message-id <[email protected]>
and subject line Bug#509593: fixed in gnutls26 2.4.2-5
has caused the Debian Bug report #509593,
regarding libgnutls26: ldap-utils fails with 'TLS: peer cert untrusted or
revoked (0x82)' with latest gnutls26
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
509593: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=509593
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libgnutls26
Version: 2.4.2-4
Severity: normal
This was found as a result of the Ubuntu update to gnutls. This also
affects the Ubuntu development release (which has the same version of
gnutls26 as sid) and of course Debian Sid. For more information, please
see:
https://launchpad.net/bugs/305264
Steps to reproduce:
1. apt-get install ca-certificates ldap-utils
2. LDAPTLS_CACERT=/etc/ssl/certs/ca-certificates.crt ldapsearch -ZZ -H
ldaps://<public ldap server>:636/ -d 1
Result:
ldap_url_parse_ext(ldaps://<public ldap server>:636/)
ldap_create
ldap_url_parse_ext(ldaps://<public ldap server>:636/??base)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP <public ldap server>:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying <public ip address>:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: peer cert untrusted or revoked (0x82)
ldap_err2string
ldap_start_tls: Can't contact LDAP server (-1)
Expected result:
....
ldap_open_defconn: successful
....
What's most interesting is that gnutls-cli and certtool show the
certificate as valid.
I'd be happy to give the URL for the server off-list (I am reporting
this on behalf of the initial reporter who did not divulge the
information publicly.
-- System Information:
Debian Release: 5.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.27-7-generic (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash
Versions of packages libgnutls26 depends on:
ii libc6 2.7-16 GNU C Library: Shared libraries
ii libgcrypt11 1.4.1-2 LGPL Crypto library - runtime libr
ii libgpg-error0 1.4-2 library for common error values an
ii libtasn1-3 1.5-1 Manage ASN.1 structures (runtime)
ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime
libgnutls26 recommends no packages.
Versions of packages libgnutls26 suggests:
ii gnutls-bin 2.4.2-4 the GNU TLS library - commandline
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: gnutls26
Source-Version: 2.4.2-5
We believe that the bug you reported is fixed in the latest version of
gnutls26, which is due to be installed in the Debian FTP archive:
gnutls-bin_2.4.2-5_i386.deb
to pool/main/g/gnutls26/gnutls-bin_2.4.2-5_i386.deb
gnutls-doc_2.4.2-5_all.deb
to pool/main/g/gnutls26/gnutls-doc_2.4.2-5_all.deb
gnutls26_2.4.2-5.diff.gz
to pool/main/g/gnutls26/gnutls26_2.4.2-5.diff.gz
gnutls26_2.4.2-5.dsc
to pool/main/g/gnutls26/gnutls26_2.4.2-5.dsc
guile-gnutls_2.4.2-5_i386.deb
to pool/main/g/gnutls26/guile-gnutls_2.4.2-5_i386.deb
libgnutls-dev_2.4.2-5_i386.deb
to pool/main/g/gnutls26/libgnutls-dev_2.4.2-5_i386.deb
libgnutls26-dbg_2.4.2-5_i386.deb
to pool/main/g/gnutls26/libgnutls26-dbg_2.4.2-5_i386.deb
libgnutls26_2.4.2-5_i386.deb
to pool/main/g/gnutls26/libgnutls26_2.4.2-5_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andreas Metzler <[email protected]> (supplier of updated gnutls26 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 31 Jan 2009 16:26:52 +0100
Source: gnutls26
Binary: libgnutls-dev libgnutls26 libgnutls26-dbg gnutls-bin gnutls-doc
guile-gnutls
Architecture: source all i386
Version: 2.4.2-5
Distribution: unstable
Urgency: low
Maintainer: Debian GnuTLS Maintainers <[email protected]>
Changed-By: Andreas Metzler <[email protected]>
Description:
gnutls-bin - the GNU TLS library - commandline utilities
gnutls-doc - the GNU TLS library - documentation and examples
guile-gnutls - the GNU TLS library - GNU Guile bindings
libgnutls-dev - the GNU TLS library - development files
libgnutls26 - the GNU TLS library - runtime library
libgnutls26-dbg - GNU TLS library - debugger symbols
Closes: 509593
Changes:
gnutls26 (2.4.2-5) unstable; urgency=low
.
* Pull two patches from upstream stable branch to make gnutls behavior
match documentation:
+ patch 23_permit_v1_CA.diff:Accept v1 x509 CA
certs if GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT and/or
GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT were supplied. Closes: #509593
+ 22_deprecate_md2_md5_x509_validation.diff: Verifying untrusted X.509
certificates signed with RSA-MD2 or RSA-MD5 will now fail with a
GNUTLS_CERT_INSECURE_ALGORITHM verification output.
Checksums-Sha1:
1cdaf538b8afaa16485847d5473f5b8e4e30f2f1 1584 gnutls26_2.4.2-5.dsc
5bce6bff0f0f6553ae834a950f7299b3353dc5ac 17749 gnutls26_2.4.2-5.diff.gz
a84730a20ed46b6125cd723e503e4229afa1fd04 2761800 gnutls-doc_2.4.2-5_all.deb
2ce8cde31f8fb2c867f66aeddafc22aff7cd565e 537404 libgnutls-dev_2.4.2-5_i386.deb
78d4ed7808b6f04acf679a25e5d5cb5051cb43c9 456448 libgnutls26_2.4.2-5_i386.deb
ef676b0adf64dd28d2518b6fb6389f387ad30867 1091318
libgnutls26-dbg_2.4.2-5_i386.deb
b1995e678ac029d5cba6ff1f3e4a8874f55459fa 269236 gnutls-bin_2.4.2-5_i386.deb
dc145b83739a12dbff1d43eb2178fbb7406bc7a1 210872 guile-gnutls_2.4.2-5_i386.deb
Checksums-Sha256:
05ea41568c655bfadb3b5f0c2ca9d2db3a2ec3affb81b74818a8f5065b2ffb1d 1584
gnutls26_2.4.2-5.dsc
61a2faa4751a2b995d6a5dc8aae8cda6133e7cfba9948fc7d43503a0d8b6c9aa 17749
gnutls26_2.4.2-5.diff.gz
ca46f2c0d79ef8eecb6f228c1d9a1642c9fc67658a24545274b3f878eca1d4a7 2761800
gnutls-doc_2.4.2-5_all.deb
ebf12bd6afacdbec52dfe07a6bb17297e36bc0b07bc5268e348c1af38928303a 537404
libgnutls-dev_2.4.2-5_i386.deb
8d7a7411b0f2ee429166022efbc9d19b9855b94bb8f0d15b0faf21df5c2da24f 456448
libgnutls26_2.4.2-5_i386.deb
e8855066278a2fc0d1970091d0b5a88fad2e768680a8f4aa8c11a17780c83c0c 1091318
libgnutls26-dbg_2.4.2-5_i386.deb
6cd9218ef4506e61a8e1b0ed676f29ba8944cc8729c5fc3d017dcc6f7ba2f422 269236
gnutls-bin_2.4.2-5_i386.deb
1e825b99f786427e66aa1b1bc5e26d17eb848f28142ad0e3c8ebcb42ed98c4df 210872
guile-gnutls_2.4.2-5_i386.deb
Files:
369edd64f961322fe42c1db4ea0f5558 1584 devel optional gnutls26_2.4.2-5.dsc
4f1a0204d0a0f82d3b708bc3d28d4411 17749 devel optional gnutls26_2.4.2-5.diff.gz
1331e8b83092973ed3e27bb978f32270 2761800 doc optional
gnutls-doc_2.4.2-5_all.deb
5f8509953ea12cb31f51fcce348a93c8 537404 libdevel optional
libgnutls-dev_2.4.2-5_i386.deb
09a14dc0d92dd4e3f7d8c103c8174429 456448 libs important
libgnutls26_2.4.2-5_i386.deb
4b9c6714cddc07a37a091643e6891dd8 1091318 devel extra
libgnutls26-dbg_2.4.2-5_i386.deb
8cc6ba4b5b301b3b6ea8d27cb996230d 269236 net optional
gnutls-bin_2.4.2-5_i386.deb
bc4b289a915811239e77900042c589cf 210872 libs optional
guile-gnutls_2.4.2-5_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkmEcokACgkQHTOcZYuNdmPWWwCfdPvoGkSIny4oN44uq6WcM7Ie
M5YAn333feROGy+RPEfyavDkyqpt1d4Q
=edaj
-----END PGP SIGNATURE-----
--- End Message ---