[Bug 305264] Re: gnutls regression: failure in certificate chain validation

Jamie Strandboge jamie at ubuntu.com
Tue Dec 23 16:49:08 GMT 2008


I have finally been able to reproduce this with ldapsearch.

After performing:
$ sudo apt-get install ca-certificates ldap-utils

I tried to do on unpatched hardy:
$ LDAPTLS_CACERT=/etc/ssl/certs/ca-certificates.crt ldapsearch -ZZ -H ldaps://<Ian's public ldap server>:636/ -d 1
...
ldap_open_defconn: successful
...

and then on patched hardy:
$ LDAPTLS_CACERT=/etc/ssl/certs/ca-certificates.crt ldapsearch -ZZ -H ldaps://<Ian's public ldap server>:636/ -d 1
...
TLS: peer cert untrusted or revoked (0x82)
ldap_err2string
ldap_start_tls: Can't contact LDAP server (-1)

All patched versions of gnutls on Hardy, Intrepid, Jaunty and Debian Sid
are affected (Dapper and Gutsy ldap-utils use openssl and are not
affected).

I cannot reproduce this with the gnutls tools. I have Ian's certificate
and the result of:
$ certtool -e --infile <Ian's certificate>

is the same for unpatched and patched versions of gnutls on hardy and
intrepid, and also jaunty.

I then did:
$ gnutls-cli -V --x509cafile /etc/ssl/certs/ca-certificates.crt -p 636 \
<Ian's public ldap server>

and it works fine on patched and unpatched versions of gnutls on hardy
and intrepid, and also on jaunty.


** Also affects: openldap (Ubuntu)
   Importance: Undecided
       Status: New

** Changed in: openldap (Ubuntu Dapper)
       Status: New => Invalid

** Changed in: openldap (Ubuntu Gutsy)
       Status: New => Invalid

** Changed in: openldap (Ubuntu Hardy)
       Status: New => Confirmed

** Changed in: openldap (Ubuntu Jaunty)
       Status: New => Confirmed

-- 
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.



More information about the Ubuntu-server-bugs mailing list