On Mon, 2009-02-09 at 16:48 +0100, Gabor Gombas wrote: > On Mon, Feb 09, 2009 at 01:40:59PM +0100, Simon Josefsson wrote: > > > Please provide output from: > > > > gnutls-cli -p 663 your.ldap.server -d 4711 --print-cert > > Here it is:
Thanks. The server certificate is signed using RSA-MD5 so the failure is correct. > > Replacing your.ldap.server as appropriate. > > > > I suspect your chain contains a certificate signed with RSA-MD5, if so > > you need to trust an intermediary certificate directly to work around > > the problem. You'll need 2.4.2-6 for this to work. > > There is no intermediary certificate. The server's cert is signed by the > top-level CA directly, and TLS_CACERT in ldap.conf points to the CA > certificate. I can't point TLS_CACERT to the server's certificate since > then I couldn't use different LDAP servers. Could you try adding the server certificate to the TLS_CACERT file? I believe the file should be able to hold more than just one certificate. Given the number of similar problems reported recently, I believe openldap should be able to provide an option to pass the GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5 flag to gnutls. It would make it easier for users to deal with the transition. /Simon -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org