Public bug reported: Using the Ubuntu version of libgnutls13_2.0.4-1ubuntu2.3 on Hardy 8.04.1 ldaps: has stopped working. This looks like it is related to the December changes that are also in gnutls-2.6.3.
ldapsearch -d 1 -H ldaps://... TLS: peer cert untrusted or revoked (0x82) ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) The OpenLDAP ldap server certificate issued by Verisign is signed by: Verisign_Intermediate- Secure_Site_Managed_PKI_for_SSL_Standard_Certificates.pem which is signed by: Verisign_Class_3_Public_Primary_Certification_Authority.pem Both of these are in /etc/ssl/certs as 7651b327.0 and f0a38a80.0 Verisign_Class_3_Public_Primary_Certification_Authority.pem is a self signed version 1 cert issued in 1996, with no extensions. In lib/x509/verify.c gnutls_x509_crt_get_ca_status is called but returns GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE as there is no Basic Constraint. The attached patch (to gnutls13_2.0.4-1ubuntu2.3) checks for this return and if it is a self signed cert, will treat it as a CA. The patch looks like it can be applied to 2.6.3 as well. Clients on Solaris 9 and 10, and OpenLDAP using OpenSSL on any platform have no problems with this old cert. ** Affects: gnutls13 (Ubuntu) Importance: Undecided Status: New -- gnutls fails to use Verisign CA cert without a Basic Constraint https://bugs.launchpad.net/bugs/314915 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs