[Bug 305264] Re: gnutls regression: failure in certificate chain validation
star26bsd
stephan.rickauer at startek.ch
Wed Apr 1 09:39:56 BST 2009
@Martin Pitt: Ok, here's all the stuff:
$ ldapsearch -x -b 'dc=ini,dc=uzh,dc=ch' uid=stephan -H
ldap://ldap.ini.uzh.ch -ZZ -d7
ldap_url_parse_ext(ldap://ldap.ini.uzh.ch)
ldap_create
ldap_url_parse_ext(ldap://ldap.ini.uzh.ch:389/??base)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap.ini.uzh.ch:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 172.16.3.220:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 31 bytes to sd 3
0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1
0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037
ldap_write: want=31, written=31
0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1
0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037
ldap_result ld 0x6121b0 msgid 1
wait4msg ld 0x6121b0 msgid 1 (infinite timeout)
wait4msg continue ld 0x6121b0 msgid 1 all 1
** ld 0x6121b0 Connections:
* host: ldap.ini.uzh.ch port: 389 (default)
refcnt: 2 status: Connected
last used: Wed Apr 1 10:27:29 2009
** ld 0x6121b0 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x6121b0 request count 1 (abandoned 0)
** ld 0x6121b0 Response Queue:
Empty
ld 0x6121b0 response count 0
ldap_chkResponseList ld 0x6121b0 msgid 1 all 1
ldap_chkResponseList returns ld 0x6121b0 NULL
ldap_int_select
read1msg: ld 0x6121b0 msgid 1 all 1
ber_get_next
ldap_read: want=8, got=8
0000: 30 0c 02 01 01 78 07 0a 0....x..
ldap_read: want=6, got=6
0000: 01 00 04 00 04 00 ......
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x6121b0 msgid 1 message type extended-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x6121b0 0 new referrals
read1msg: mark request completed, ld 0x6121b0 msgid 1
request done: ld 0x6121b0 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection 0 1
ldap_free_connection: refcnt 1
ldap_parse_extended_result
ber_scanf fmt ({eAA) ber:
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
tls_write: want=82, written=82
0000: 16 03 02 00 4d 01 00 00 49 03 02 49 d3 25 71 2b ....M...I..I.%q+
0010: 1e 5d fd 39 7b 4b 7f 7e 6a ac 75 04 40 44 e5 db .].9{K.~j.u. at D..
0020: 94 7a e8 71 c5 8f 15 3b 21 e9 16 00 00 18 00 39 .z.q...;!......9
0030: 00 33 00 16 00 38 00 32 00 13 00 66 00 35 00 2f .3...8.2...f.5./
0040: 00 0a 00 05 00 04 02 01 00 00 07 00 09 00 03 02 ................
0050: 00 01 ..
tls_read: want=5, got=5
0000: 16 03 01 00 4a ....J
tls_read: want=74, got=74
0000: 02 00 00 46 03 01 49 d3 25 6c 7c 54 63 e1 09 a6 ...F..I.%l|Tc...
0010: 4d 29 bc 73 64 5c 63 38 ce fe 5e 54 59 16 e1 2c M).sd\c8..^TY..,
0020: a2 e2 18 21 98 4d 20 79 d0 68 1a 46 fe e5 b4 a2 ...!.M y.h.F....
0030: 18 7a bc 8a 62 6d 6e a5 7b c1 1d 04 09 1e 58 45 .z..bmn.{.....XE
0040: 19 35 79 5b 5b 7f 5d 00 35 00 .5y[[.].5.
tls_read: want=5, got=5
0000: 16 03 01 04 bc .....
tls_read: want=1212, got=1212
0000: 0b 00 04 b8 00 04 b5 00 02 58 30 82 02 54 30 82 .........X0..T0.
0010: 01 bd 02 09 00 d4 2e e5 49 19 c2 af 2a 30 0d 06 ........I...*0..
0020: 09 2a 86 48 86 f7 0d 01 01 04 05 00 30 6e 31 0b .*.H........0n1.
0030: 30 09 06 03 55 04 06 13 02 43 48 31 10 30 0e 06 0...U....CH1.0..
0040: 03 55 04 08 13 07 5a 75 65 72 69 63 68 31 10 30 .U....Zuerich1.0
0050: 0e 06 03 55 04 07 13 07 5a 75 65 72 69 63 68 31 ...U....Zuerich1
0060: 0c 30 0a 06 03 55 04 0a 13 03 49 4e 49 31 10 30 .0...U....INI1.0
0070: 0e 06 03 55 04 0b 13 07 4c 44 41 50 20 43 41 31 ...U....LDAP CA1
0080: 1b 30 19 06 03 55 04 03 13 12 63 61 2e 6c 64 61 .0...U....ca.lda
0090: 70 2e 69 6e 69 2e 75 7a 68 2e 63 68 30 1e 17 0d p.ini.uzh.ch0...
00a0: 30 39 30 33 32 36 31 35 31 32 35 37 5a 17 0d 31 090326151257Z..1
00b0: 39 30 33 32 34 31 35 31 32 35 37 5a 30 6f 31 0b 90324151257Z0o1.
00c0: 30 09 06 03 55 04 06 13 02 43 48 31 10 30 0e 06 0...U....CH1.0..
00d0: 03 55 04 08 13 07 5a 75 65 72 69 63 68 31 10 30 .U....Zuerich1.0
00e0: 0e 06 03 55 04 07 13 07 5a 75 65 72 69 63 68 31 ...U....Zuerich1
00f0: 0c 30 0a 06 03 55 04 0a 13 03 49 4e 49 31 14 30 .0...U....INI1.0
0100: 12 06 03 55 04 0b 13 0b 4c 44 41 50 20 53 65 72 ...U....LDAP Ser
0110: 76 65 72 31 18 30 16 06 03 55 04 03 13 0f 6c 64 ver1.0...U....ld
0120: 61 70 2e 69 6e 69 2e 75 7a 68 2e 63 68 30 81 9f ap.ini.uzh.ch0..
0130: 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 0...*.H.........
0140: 81 8d 00 30 81 89 02 81 81 00 e3 dd 81 27 ef 0a ...0.........'..
0150: da b9 9a d5 de 78 63 8f a2 c7 5a 9a 45 9b 4e 13 .....xc...Z.E.N.
0160: de 2e 3f c0 3d 91 1d 25 fe 86 01 63 c8 18 42 65 ..?.=..%...c..Be
0170: c2 b4 7c 2c de db 7e f7 e8 93 a6 d0 b2 9b e2 f3 ..|,..~.........
0180: dc e9 5d b7 be 0b 60 b1 2d 69 3f a8 d8 f9 e3 90 ..]...`.-i?.....
0190: 72 2e 0d 31 3c 03 1e 0a 09 11 ef 23 6b d9 03 d8 r..1<......#k...
01a0: ff a3 72 36 a3 92 fd bb 36 d9 90 d2 31 10 26 b6 ..r6....6...1.&.
01b0: d0 b2 79 b1 72 57 ed 19 df 2f c6 85 b7 89 3d 26 ..y.rW.../....=&
01c0: 15 1b b4 92 18 03 44 11 c0 f3 02 03 01 00 01 30 ......D........0
01d0: 0d 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 03 81 ...*.H..........
01e0: 81 00 5e 14 9c a7 31 ae 49 45 98 7e 86 6d 98 73 ..^...1.IE.~.m.s
01f0: b0 bd 6b 8a 2c 16 f8 cb 95 c8 dc 23 e9 d9 6f c0 ..k.,......#..o.
0200: bb a6 81 c0 85 8a ab fb f0 b8 61 d5 dc 40 a2 51 ..........a.. at .Q
0210: b5 22 8c 8b 48 96 7e e4 5c 35 42 9f a1 9b db c5 ."..H.~.\5B.....
0220: b2 bb f1 e8 2a 7c f3 54 c8 ea 7a c1 32 e0 1d ba ....*|.T..z.2...
0230: f6 8d e2 84 4e dd ee a2 e0 91 d2 49 79 ee b9 e0 ....N......Iy...
0240: de 47 2e d7 82 8c 8b 6b 57 34 18 8e fb a6 e0 97 .G.....kW4......
0250: ee 3f e0 08 95 5c 99 84 c5 e5 50 10 60 54 75 9e .?...\....P.`Tu.
0260: f4 52 00 02 57 30 82 02 53 30 82 01 bc 02 09 00 .R..W0..S0......
0270: fd 30 91 50 d0 da c3 b5 30 0d 06 09 2a 86 48 86 .0.P....0...*.H.
0280: f7 0d 01 01 04 05 00 30 6e 31 0b 30 09 06 03 55 .......0n1.0...U
0290: 04 06 13 02 43 48 31 10 30 0e 06 03 55 04 08 13 ....CH1.0...U...
02a0: 07 5a 75 65 72 69 63 68 31 10 30 0e 06 03 55 04 .Zuerich1.0...U.
02b0: 07 13 07 5a 75 65 72 69 63 68 31 0c 30 0a 06 03 ...Zuerich1.0...
02c0: 55 04 0a 13 03 49 4e 49 31 10 30 0e 06 03 55 04 U....INI1.0...U.
02d0: 0b 13 07 4c 44 41 50 20 43 41 31 1b 30 19 06 03 ...LDAP CA1.0...
02e0: 55 04 03 13 12 63 61 2e 6c 64 61 70 2e 69 6e 69 U....ca.ldap.ini
02f0: 2e 75 7a 68 2e 63 68 30 1e 17 0d 30 39 30 33 32 .uzh.ch0...09032
0300: 36 31 35 31 30 30 36 5a 17 0d 31 39 30 33 32 34 6151006Z..190324
0310: 31 35 31 30 30 36 5a 30 6e 31 0b 30 09 06 03 55 151006Z0n1.0...U
0320: 04 06 13 02 43 48 31 10 30 0e 06 03 55 04 08 13 ....CH1.0...U...
0330: 07 5a 75 65 72 69 63 68 31 10 30 0e 06 03 55 04 .Zuerich1.0...U.
0340: 07 13 07 5a 75 65 72 69 63 68 31 0c 30 0a 06 03 ...Zuerich1.0...
0350: 55 04 0a 13 03 49 4e 49 31 10 30 0e 06 03 55 04 U....INI1.0...U.
0360: 0b 13 07 4c 44 41 50 20 43 41 31 1b 30 19 06 03 ...LDAP CA1.0...
0370: 55 04 03 13 12 63 61 2e 6c 64 61 70 2e 69 6e 69 U....ca.ldap.ini
0380: 2e 75 7a 68 2e 63 68 30 81 9f 30 0d 06 09 2a 86 .uzh.ch0..0...*.
0390: 48 86 f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 H............0..
03a0: 02 81 81 00 c1 c7 be 63 c4 ea da f0 ab fc 11 75 .......c.......u
03b0: d9 41 38 06 79 23 04 bf a6 61 3a 19 d2 83 93 39 .A8.y#...a:....9
03c0: eb 17 51 62 1b 22 fd 0f 79 cb 92 fb 0c a5 79 65 ..Qb."..y.....ye
03d0: 98 0a 92 00 1b 70 fe b7 ca a1 4e 44 48 64 55 41 .....p....NDHdUA
03e0: 6d a2 66 2d 36 5a 76 04 e5 b2 f5 e3 05 b7 07 85 m.f-6Zv.........
03f0: 6a 44 b9 9d c6 7b fe 7a 34 92 3d f2 39 92 f7 90 jD...{.z4.=.9...
0400: e3 64 9b bb 95 8d a6 08 53 ef 16 96 0d 60 ac ae .d......S....`..
0410: 74 65 18 03 f0 ff 9a e7 59 d9 7b 8d 5a cd 9b 8e te......Y.{.Z...
0420: 1e d0 f2 6f 02 03 01 00 01 30 0d 06 09 2a 86 48 ...o.....0...*.H
0430: 86 f7 0d 01 01 04 05 00 03 81 81 00 aa d0 f9 11 ................
0440: 73 95 76 7c 6d 56 d6 cf 86 37 19 57 d4 63 39 b4 s.v|mV...7.W.c9.
0450: b8 ff 43 96 d5 d5 37 ae e3 64 19 c2 51 59 06 b8 ..C...7..d..QY..
0460: fd b3 10 15 f1 6e a0 df a4 99 54 e2 aa 2c 4e 6f .....n....T..,No
0470: 03 4e e4 d1 48 38 07 5d 39 ba d4 d5 16 a8 75 57 .N..H8.]9.....uW
0480: c3 82 ac 60 10 3f a2 96 ec b6 b5 b4 44 91 62 60 ...`.?......D.b`
0490: d0 5f 4a 71 ed cf 1a 02 dc 10 cc 12 a3 fd 46 d5 ._Jq..........F.
04a0: 50 80 e3 eb fc bf 78 24 a5 ad 90 03 22 e9 12 83 P.....x$...."...
04b0: 57 ba b5 b9 9d ae de b7 a6 40 67 20 W........ at g
tls_read: want=5, got=5
0000: 16 03 01 00 04 .....
tls_read: want=4, got=4
0000: 0e 00 00 00 ....
tls_write: want=139, written=139
0000: 16 03 01 00 86 10 00 00 82 00 80 28 63 c6 56 40 ...........(c.V@
0010: 23 e0 7c a2 5e f2 65 1b f7 52 2b bb 4c 0a bf 2e #.|.^.e..R+.L...
0020: 43 ab 31 76 d9 f7 95 89 d8 14 9d 4b 3f 3d 6e 93 C.1v.......K?=n.
0030: 85 bc 2b a9 9d 3e 34 89 98 f3 93 92 5b d1 54 c4 ..+..>4.....[.T.
0040: f2 86 38 a9 e9 04 13 ba 61 2c 24 a2 14 9b da 18 ..8.....a,$.....
0050: 3d a6 0c 14 72 2e 59 11 b0 d6 41 01 c4 c0 25 9f =...r.Y...A...%.
0060: 90 2e 2f de 5b 80 1e 0c c9 b2 6f ef a2 c8 4f a2 ../.[.....o...O.
0070: d6 f7 0a 07 df fd 61 ca 6a 75 0e 03 73 87 cd 65 ......a.ju..s..e
0080: d8 9b 16 e1 48 92 ad 3d 04 5e 28 ....H..=.^(
tls_write: want=6, written=6
0000: 14 03 01 00 01 01 ......
tls_write: want=261, written=261
0000: 16 03 01 01 00 5b 80 13 93 db 80 5e 0f 64 7f 28 .....[.....^.d.(
0010: d7 8d 53 77 ed 3b 41 24 fa 82 a5 23 79 45 a8 cc ..Sw.;A$...#yE..
0020: 7b 97 28 37 47 c6 7f 1d 7c a9 97 b4 41 26 86 85 {.(7G...|...A&..
0030: 7a 02 6a ab e1 53 01 b6 77 8f 8f 8b 87 d7 18 f2 z.j..S..w.......
0040: f3 f5 57 a8 06 49 ae 5d 6e b0 ed 0f 7d a4 99 8a ..W..I.]n...}...
0050: 77 d9 71 c3 36 cf 1b 94 57 7a 18 0e 81 d2 31 89 w.q.6...Wz....1.
0060: 12 b8 6f 61 5f 29 ed c5 85 32 3f 77 ec ff 84 a9 ..oa_)...2?w....
0070: 11 15 26 39 76 94 54 01 ca b4 71 33 ae a3 6a 8e ..&9v.T...q3..j.
0080: b2 90 0d 53 3d d2 5d c6 9b 81 26 43 35 21 11 4a ...S=.]...&C5!.J
0090: 7e a4 2a 7c f4 f2 5a 5e b6 4b de bd 1a 27 d7 fd ~.*|..Z^.K...'..
00a0: d4 84 7d 94 c3 47 92 bc df a6 b0 5f 13 00 28 ec ..}..G....._..(.
00b0: e6 84 90 f1 7f da 57 c2 82 e2 10 b2 90 d6 3a 6b ......W.......:k
00c0: ce 58 56 e1 ca c3 54 1e 82 94 84 58 e4 e5 97 43 .XV...T....X...C
00d0: d7 fe d5 0a 48 83 3e ce 25 79 a7 05 8b 0e ee fe ....H.>.%y......
00e0: f2 43 90 4a c8 5f 0e 44 db bb e0 30 31 41 d3 a5 .C.J._.D...01A..
00f0: 22 11 0c 8c 94 bf bf e1 07 02 19 a9 b5 27 dd 68 "............'.h
0100: 45 dc 97 57 44 E..WD
tls_read: want=5, got=5
0000: 14 03 01 00 01 .....
tls_read: want=1, got=1
0000: 01 .
tls_read: want=5, got=5
0000: 16 03 01 00 30 ....0
tls_read: want=48, got=48
0000: eb 49 a2 66 26 84 e9 b0 83 67 1b 06 26 45 cc 81 .I.f&....g..&E..
0010: 9a ac 10 73 b4 47 57 16 2f 53 6a 31 81 1f 8b ec ...s.GW./Sj1....
0020: b5 3c a9 0e c6 9e 40 3e 22 d4 42 10 5d 72 fb b1 .<....@>".B.]r..
TLS: peer cert untrusted or revoked (0x42)
ldap_err2string
ldap_start_tls: Connect error (-11)
$ gnutls-cli --x509cafile /etc/ssl/ca.crt -p 636 ldap.ini.uzh.ch
Processed 1 CA certificate(s).
Resolving 'ldap.ini.uzh.ch'...
Connecting to '172.16.3.220:636'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
# The hostname in the certificate matches 'ldap.ini.uzh.ch'.
# valid since: Thu Mar 26 16:12:57 CET 2009
# expires at: Sun Mar 24 16:12:57 CET 2019
# fingerprint: 85:DC:41:56:F7:A0:DC:9A:D6:D1:C6:8D:26:41:60:22
# Subject's DN: C=CH,ST=Zuerich,L=Zuerich,O=INI,OU=LDAP Server,CN=ldap.ini.uzh.ch
# Issuer's DN: C=CH,ST=Zuerich,L=Zuerich,O=INI,OU=LDAP CA,CN=ca.ldap.ini.uzh.ch
- Certificate[1] info:
# valid since: Thu Mar 26 16:10:06 CET 2009
# expires at: Sun Mar 24 16:10:06 CET 2019
# fingerprint: B9:EF:76:2B:CD:2B:D4:5A:FF:08:AD:E6:9C:18:3E:0D
# Subject's DN: C=CH,ST=Zuerich,L=Zuerich,O=INI,OU=LDAP CA,CN=ca.ldap.ini.uzh.ch
# Issuer's DN: C=CH,ST=Zuerich,L=Zuerich,O=INI,OU=LDAP CA,CN=ca.ldap.ini.uzh.ch
- Peer's certificate is NOT trusted
- Version: TLS 1.0
- Key Exchange: RSA
- Cipher: AES 256 CBC
- MAC: SHA
- Compression: NULL
*** Verifying server certificate failed...
So it looks like it's because gnutls thinks the certificate is not
trusted. However, it's the same ca cert as the one used on the ldap
server:
-----BEGIN CERTIFICATE-----
MIICUzCCAbwCCQD9MJFQ0NrDtTANBgkqhkiG9w0BAQQFADBuMQswCQYDVQQGEwJD
SDEQMA4GA1UECBMHWnVlcmljaDEQMA4GA1UEBxMHWnVlcmljaDEMMAoGA1UEChMD
SU5JMRAwDgYDVQQLEwdMREFQIENBMRswGQYDVQQDExJjYS5sZGFwLmluaS51emgu
Y2gwHhcNMDkwMzI2MTUxMDA2WhcNMTkwMzI0MTUxMDA2WjBuMQswCQYDVQQGEwJD
SDEQMA4GA1UECBMHWnVlcmljaDEQMA4GA1UEBxMHWnVlcmljaDEMMAoGA1UEChMD
SU5JMRAwDgYDVQQLEwdMREFQIENBMRswGQYDVQQDExJjYS5sZGFwLmluaS51emgu
Y2gwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMHHvmPE6trwq/wRddlBOAZ5
IwS/pmE6GdKDkznrF1FiGyL9D3nLkvsMpXllmAqSABtw/rfKoU5ESGRVQW2iZi02
WnYE5bL14wW3B4VqRLmdxnv+ejSSPfI5kveQ42Sbu5WNpghT7xaWDWCsrnRlGAPw
/5rnWdl7jVrNm44e0PJvAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAqtD5EXOVdnxt
VtbPhjcZV9RjObS4/0OW1dU3ruNkGcJRWQa4/bMQFfFuoN+kmVTiqixObwNO5NFI
OAddObrU1RaodVfDgqxgED+iluy2tbREkWJg0F9Kce3PGgLcEMwSo/1G1VCA4+v8
v3gkpa2QAyLpEoNXurW5na7et6ZAZyA=
-----END CERTIFICATE-----
--
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.
More information about the Ubuntu-server-bugs
mailing list