Public bug reported:
Using the Ubuntu version of libgnutls13_2.0.4-1ubuntu2.3 on Hardy 8.04.1
ldaps: has stopped working. This looks like it is related to
the December changes that are also in gnutls-2.6.3.
ldapsearch -d 1 -H ldaps://...
TLS: peer cert untrusted or revoked (0x82)
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
The OpenLDAP ldap server certificate issued by Verisign is signed by:
Verisign_Intermediate-
Secure_Site_Managed_PKI_for_SSL_Standard_Certificates.pem
which is signed by:
Verisign_Class_3_Public_Primary_Certification_Authority.pem
Both of these are in /etc/ssl/certs as 7651b327.0 and f0a38a80.0
Verisign_Class_3_Public_Primary_Certification_Authority.pem
is a self signed version 1 cert issued in 1996, with no extensions.
In lib/x509/verify.c gnutls_x509_crt_get_ca_status is called
but returns GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE as there is no
Basic Constraint.
The attached patch (to gnutls13_2.0.4-1ubuntu2.3) checks for
this return and if it is a self signed cert, will treat it as a CA.
The patch looks like it can be applied to 2.6.3 as well.
Clients on Solaris 9 and 10, and OpenLDAP using OpenSSL on any
platform have no problems with this old cert.
** Affects: gnutls13 (Ubuntu)
Importance: Undecided
Status: New
--
gnutls fails to use Verisign CA cert without a Basic Constraint
https://bugs.launchpad.net/bugs/314915
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
