[Bug 305264] Re: gnutls regression: failure in certificate chain validation

Jamie Strandboge jamie at ubuntu.com
Fri Jan 30 16:55:34 GMT 2009

Commenting per request in #ubuntu-meeting.

It is a really unfortunate situation that these certificates
unintentionally passed verification before the updates. IMO, the
security fix (that is also in other distributions now) is needed and
should not be backed out. Without it, man-in-the middle attacks against
certificate chains are much easier to conduct. From a security
perspective, the patch needs to stay and the gnutls defaults of
disabling V1 certificates need to stay the same.

I am well aware that the current situation breaks certain
configurations, and do not feel I can make the final decision.

There is also the patch in bug #314915, also discussed upstream, that
may be an option. AFAICT, this patch has not been applied upstream yet
and I feel uncomfortable applying it without more Debian and Gnutls
feedback (lately, each time this section of code has been touched
another bug in the certificate chain verification popped up).

gnutls regression: failure in certificate chain validation
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.

More information about the Ubuntu-server-bugs mailing list