Package: libldap-2.4-2 Version: 2.4.11-1 Severity: important File: libldap Hi,
I ran in this problem with the upgrade from sarge to lenny. At first I thought it was an issue related to GnuTLS (like bug #514578), but the error message I get in the debug mode seem to point out towards libldap. When attempting to connect to a slapd server using TLS, with the URI containing an IP adress, the connection fails. It seems that ibpam-ldap and libnss-ldap are also affected. The error message that seems confusing is: TLS: hostname (129.104.26.101) does not match common name in certificate (129.104.26.101). Here is the outputs of ldapsearch and gnutls_cli that seem to indicate that the problem is related to libldap and not to libgnutls, since gnutls-cli connects without problem. g...@berlioz:~$ ldapsearch -x ldaps://129.104.26.101 -d 5 ldap_create ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP 129.104.26.101:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 129.104.26.101:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 TLS: hostname (129.104.26.101) does not match common name in certificate (129.104.26.101). ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) g...@berlioz:~$ gnutls-cli -p ldaps --x509cafile /etc/ldap/ssl/certs/dcmr-cacert.pem 129.104.26.101 Processed 1 CA certificate(s). Resolving '129.104.26.101'... Connecting to '129.104.26.101:636'... - Certificate type: X.509 - Got a certificate list of 2 certificates. - Certificate[0] info: # The hostname in the certificate matches '129.104.26.101'. # valid since: Wed Feb 18 09:20:09 CET 2009 # expires at: Thu Feb 18 09:20:09 CET 2010 # fingerprint: 4F:9E:C8:CA:EF:A6:B6:ED:5A:E7:AD:B7:B0:69:69:2F # Subject's DN: C=FR,ST=France,O=DCMR - Ecole Polytechnique,CN=129.104.26.101 # Issuer's DN: O=DCMR - Ecole Polytechnique,OU=DCMR,EMAIL=[REMOVED],L=Palaiseau,ST=France,C=FR,CN=DCMR Root CA - Certificate[1] info: # valid since: Thu Jan 11 10:35:48 CET 2007 # expires at: Sun Jan 8 10:35:48 CET 2017 # fingerprint: CA:80:AF:D4:9B:3E:46:35:91:B9:BD:F5:59:BA:B6:56 # Subject's DN: O=DCMR - Ecole Polytechnique,OU=DCMR,EMAIL=[REMOVED],L=Palaiseau,ST=France,C=FR,CN=DCMR Root CA # Issuer's DN: O=DCMR - Ecole Polytechnique,OU=DCMR,EMAIL=[REMOVED],L=Palaiseau,ST=France,C=FR,CN=DCMR Root CA - Peer's certificate is trusted - Version: TLS1.0 - Key Exchange: RSA - Cipher: AES-128-CBC - MAC: SHA1 - Compression: NULL - Handshake was completed - Simple Client Mode: Guillaume -- System Information: Debian Release: 5.0 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages libldap-2.4-2 depends on: ii libc6 2.7-18 GNU C Library: Shared libraries ii libgnutls26 2.4.2-6 the GNU TLS library - runtime libr ii libsasl2-2 2.1.22.dfsg1-23 Cyrus SASL - authentication abstra libldap-2.4-2 recommends no packages. libldap-2.4-2 suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org