[Bug 305264] Re: gnutls regression: failure in certificate chain validation
Jamie Strandboge
jamie at ubuntu.com
Tue Dec 23 16:49:08 GMT 2008
I have finally been able to reproduce this with ldapsearch.
After performing:
$ sudo apt-get install ca-certificates ldap-utils
I tried to do on unpatched hardy:
$ LDAPTLS_CACERT=/etc/ssl/certs/ca-certificates.crt ldapsearch -ZZ -H ldaps://<Ian's public ldap server>:636/ -d 1
...
ldap_open_defconn: successful
...
and then on patched hardy:
$ LDAPTLS_CACERT=/etc/ssl/certs/ca-certificates.crt ldapsearch -ZZ -H ldaps://<Ian's public ldap server>:636/ -d 1
...
TLS: peer cert untrusted or revoked (0x82)
ldap_err2string
ldap_start_tls: Can't contact LDAP server (-1)
All patched versions of gnutls on Hardy, Intrepid, Jaunty and Debian Sid
are affected (Dapper and Gutsy ldap-utils use openssl and are not
affected).
I cannot reproduce this with the gnutls tools. I have Ian's certificate
and the result of:
$ certtool -e --infile <Ian's certificate>
is the same for unpatched and patched versions of gnutls on hardy and
intrepid, and also jaunty.
I then did:
$ gnutls-cli -V --x509cafile /etc/ssl/certs/ca-certificates.crt -p 636 \
<Ian's public ldap server>
and it works fine on patched and unpatched versions of gnutls on hardy
and intrepid, and also on jaunty.
** Also affects: openldap (Ubuntu)
Importance: Undecided
Status: New
** Changed in: openldap (Ubuntu Dapper)
Status: New => Invalid
** Changed in: openldap (Ubuntu Gutsy)
Status: New => Invalid
** Changed in: openldap (Ubuntu Hardy)
Status: New => Confirmed
** Changed in: openldap (Ubuntu Jaunty)
Status: New => Confirmed
--
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.
More information about the Ubuntu-server-bugs
mailing list