[Bug 305264] Re: gnutls regression: failure in certificate chain validation

Steve Langasek steve.langasek at canonical.com
Thu Jan 29 04:54:59 GMT 2009 

The Debian gnutls maintainer points to
<http://news.gmane.org/find-root.php?message_id=%3c49654581.3020505%40anl.gov%3e>, which shows how this is a gnutls bug rather than an openldap one.  Reopening the gnutls tasks and closing the openldap tasks.

The upstream commit is given here.
http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=423fc8b82f2b9aa3ea820cd5cf75d5813dffbbf0

Note, however, that this commit only fixes the problem when passing
certain non-default options to gnutls, which are not passed by openldap,
to enable use of V1 SSL certificates.  Ultimately, these certificate
chains worked with OpenLDAP+GnuTLS by accident, not design, as a result
of the bug fixed in this security update.

Upstream is opposed to changing the default flags to enable V1
certificates because V1 certs are vulnerable to various sorts of attack
and GnuTLS is documented to not support these by default.  I think it's
inappropriate to change the default flags in OpenLDAP for the same
reason.  If it's determined that enabling V1 certs is the lesser evil, I
think it makes more sense to enable them globally than to enable them
just in OpenLDAP, since this potentially affects all consumers of
libgnutls.

As for whether enabling them is the lesser evil, note that the attacks
V1 certs are subject to are not a strict subset of the attacks GnuTLS
was subject to prior to this security update, so there's no easy choice
here.

** Changed in: gnutls26 (Ubuntu Jaunty)
       Status: Fix Released => Triaged

** Changed in: gnutls26 (Ubuntu Intrepid)
       Status: Fix Released => Triaged

** Changed in: gnutls13 (Ubuntu Hardy)
       Status: Fix Released => Triaged

** Changed in: gnutls13 (Ubuntu Gutsy)
       Status: Fix Released => Triaged

** Changed in: gnutls12 (Ubuntu Dapper)
       Status: Fix Released => Triaged

** Changed in: openldap (Ubuntu Hardy)
       Status: Confirmed => Invalid

** Changed in: openldap (Ubuntu Intrepid)
       Status: Confirmed => Invalid

** Changed in: openldap (Ubuntu Jaunty)
       Status: Confirmed => Invalid

-- 
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.

More information about the Ubuntu-server-bugs mailing list