Your message dated Fri, 12 Dec 2008 15:44:37 +0100
with message-id <87tz99xxka....@mocca.josefsson.org>
and subject line Re: Bug#506853: libgnutls26: 2.4.2-3 breaks OpenLDAP access
has caused the Debian Bug report #506853,
regarding libgnutls26: 2.4.2-3 breaks OpenLDAP access
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
506853: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=506853
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libgnutls26
Version: 2.4.2-3
Severity: important
After the upgrade from 2.4.2-1 to 2.4.2-3 access to an OpenLDAP server is
broken. ldapwhoami says:
TLS: peer cert untrusted or revoked (0x2)
ldap_start_tls: Can't contact LDAP server (-1)
The certificate is valid until 2018 and was not revoked, everything works fine
with the old version.
Unfortunately this breaks authentication via LDAP on all our machines, which
caused me some trouble.
I had to revert to version 2.2.2-1 from snapshots.debian.net, since I didn't
find the 2.4.2-1 version anywhere.
Thanks for all information concerning this.
- Stefan
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.26-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages libgnutls26 depends on:
ii libc6 2.7-16 GNU C Library: Shared libraries
ii libgcrypt11 1.4.1-1 LGPL Crypto library - runtime libr
ii libgpg-error0 1.4-2 library for common error values an
ii libopencdk10 0.6.6-1 Open Crypto Development Kit (OpenC
ii libtasn1-3 1.4-1 Manage ASN.1 structures (runtime)
ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime
libgnutls26 recommends no packages.
Versions of packages libgnutls26 suggests:
pn gnutls-bin <none> (no description available)
-- no debconf information
--- End Message ---
--- Begin Message ---
Stefan Söffing <soeff...@gmx.de> writes:
> Simon Josefsson schrieb:
>> Thank you, I believe this is a problem with your CA certificate, it
>> contains a basic constraint as follows:
>>
>> Certificate Authority (CA): FALSE
>>
>> You need to set the CA constraint to TRUE for CA certificates.
>>
>
> Oh well, thanks a lot! Creating a new CA with this set to TRUE really
> helped.
>
> I only wonder, why the old certificate worked with previous gnutls
> versions...
Me too.
I was able to reproduce the problem with latest gnutls without any of
the gnutls-sa-2008-3 patches, like you suggested in your initial report.
The reason the chain is approved then was because the CA cert is removed
from the list, and then the chain is of length 1, and the for loop to
check the chain ignores to check these small chains. The CA is verified
against itself initially, but the CA=TRUE check is short-circuited in
check_if_ca because the issuer and certificate is the same:
/* If the subject certificate is the same as the issuer
* return true.
With the latest code, the CA cert is (intentionally) removed because it
is self-signed, but there is an explicit check of the next-to-last
certificate against any of the configured trust anchors, and then the
for-loop ignores the check it further. The reason this fails is because
of the explicit test, which will call check_if_ca on the EE cert and the
CA, and then the test in check_if_ca above isn't triggered, and after
that there is code to check the basic constraint.
I think what you are seeing a "positive" symptom of the gnutls-sa-2008-3
bug.
I'm closing this report since we've identified that the error message is
correct, so this isn't a bug that needs fixing.
Thanks,
/Simon
--- End Message ---
