Hi Randy, op 11-06-14 03:34, Ryan Tandy schreef: > Hi Paul, > > On 09/06/14 04:29 AM, Paul van der Vlis wrote: >> While upgrading from Debian 6 to Debian 7 LDAPS did not work anymore >> on the >> client. I found out the root-certificate was outdated for a long time >> and the >> validity date of a root certificate is not checked on a Debian 6 >> client. But it >> is checked on a Debian 7 client, and this can give unexpected problems >> while >> upgrading. And it is a risk for Debian 6 installations. > > This is a behaviour change between squeeze and wheezy, yes, but in > libgnutls, not libldap; you can confirm it using gnutls-cli. > > Are you suggesting the behaviour of gnutls in squeeze should be made > more strict like in wheezy? If so we should reassign this to gnutls.
I think it's a bug in Squeeze not to check the root certificate. But fixing the bug will give problems in existing installations and Squeeze does not have normal security-support anymore. We could reassign it to gnutls, or tell the people from squeeze-lts about it. Maybe it's important for other packages or other situations. >> The error while upgrading is: >> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) > > Without any context that is a bit vague, but it sounds like a result I > would expect in case of an expired certificate. Increasing libldap's > debug level, or testing with "ldapsearch -d 1", will show you more > details about the underlying cause of the failure. > > If you need to disable the certificate verification to get your upgrade > finished, you can use the TLS_REQCERT ldap.conf(5) option, but that's a > rather big hammer as it disables several kinds of validation at once. > > As the expiry check has already been fixed in wheezy and later, can you > be more explicit about the changes you think should be done in order to > resolve this report? My goal was to give some publicity for people who are searching for this problem during upgrading, like I did. And to tell about this bug in Squeeze. For me it's no problem to close the bug. Thanks for your information! With regards, Paul van der Vlis. -- Paul van der Vlis Linux systeembeheer, Groningen http://www.vandervlis.nl -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org