Hi, we’ve got a range of systems in existence, from Debian etch (formerly sarge) to sid, and Kubuntu hardy (formerly dapper) to precise.
Now, their latest release, prolonged pain precisely, fails to connect to our LDAP server (Univention Corporate Server 2.4), whereas it works with OpenSSL. I’ve had similar issues in hardy where a “security” update broke things due to GnuTLS, but this is new, and somehow gnutls-cli lacks the usual debugging output. root@foo-test:~ # openssl s_client -CAfile /etc/ssl/certs/ca-c* -connect dc.lan.tarent.de:636 CONNECTED(00000003) depth=1 C = DE, ST = NRW, L = Bonn, O = tarent GmbH, OU = IT, CN = Univention Corporate Server Root CA, emailAddress = [email protected] verify return:1 depth=0 C = DE, ST = NRW, L = Bonn, O = tarent GmbH, OU = IT, CN = dc.lan.tarent.de, emailAddress = [email protected] verify return:1 --- Certificate chain 0 s:/C=DE/ST=NRW/L=Bonn/O=tarent GmbH/OU=IT/CN=dc.lan.tarent.de/[email protected] i:/C=DE/ST=NRW/L=Bonn/O=tarent GmbH/OU=IT/CN=Univention Corporate Server Root CA/[email protected] 1 s:/C=DE/ST=NRW/L=Bonn/O=tarent GmbH/OU=IT/CN=Univention Corporate Server Root CA/[email protected] i:/C=DE/ST=NRW/L=Bonn/O=tarent GmbH/OU=IT/CN=Univention Corporate Server Root CA/[email protected] --- Server certificate -----BEGIN CERTIFICATE----- MIIEITCCAwmgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBnDELMAkGA1UEBhMCREUx DDAKBgNVBAgTA05SVzENMAsGA1UEBxMEQm9ubjEUMBIGA1UEChMLdGFyZW50IEdt YkgxCzAJBgNVBAsTAklUMSwwKgYDVQQDEyNVbml2ZW50aW9uIENvcnBvcmF0ZSBT ZXJ2ZXIgUm9vdCBDQTEfMB0GCSqGSIb3DQEJARYQYWRtaW5zQHRhcmVudC5kZTAe Fw0xMTAyMDcxMDI0MjlaFw0xNjAyMDYxMDI0MjlaMIGJMQswCQYDVQQGEwJERTEM MAoGA1UECBMDTlJXMQ0wCwYDVQQHEwRCb25uMRQwEgYDVQQKEwt0YXJlbnQgR21i SDELMAkGA1UECxMCSVQxGTAXBgNVBAMTEGRjLmxhbi50YXJlbnQuZGUxHzAdBgkq hkiG9w0BCQEWEGFkbWluc0B0YXJlbnQuZGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0A MIGJAoGBALec1kjx6ebHDWjNZ47DFCk91oMR0JU7dWKdDcJnX4NpIClXfYmfT5lU 1nIdEVkaG9vqAEgv1tXGVh78y5HENvjMoqndNK0vZuuJ+huoV5oLdfHaDKfQ9HM9 zyQedZVvu3/BZRI2ZOustxQrbZk/BbY2zEGZ+vtSiUaUgy2sNBPvAgMBAAGjggEB MIH+MAkGA1UdEwQCMAAwHQYDVR0OBBYEFIX4Fy+mIvJiFcXakJKmS6d+AH+mMIHR BgNVHSMEgckwgcaAFGGbZa17dyVam6QIMlB3SSrW3R12oYGipIGfMIGcMQswCQYD VQQGEwJERTEMMAoGA1UECBMDTlJXMQ0wCwYDVQQHEwRCb25uMRQwEgYDVQQKEwt0 YXJlbnQgR21iSDELMAkGA1UECxMCSVQxLDAqBgNVBAMTI1VuaXZlbnRpb24gQ29y cG9yYXRlIFNlcnZlciBSb290IENBMR8wHQYJKoZIhvcNAQkBFhBhZG1pbnNAdGFy ZW50LmRlggkAnXueqx7HokkwDQYJKoZIhvcNAQEFBQADggEBACM2aAg5fCBucTeX RLy7tq8wb33nkPs9Ai2IyUSkdk5lIarNapKApYZKnX7cWrpNiGejG6lLyYXwS9oo QQs94SnLt3583sL+VTxST3Xj4sQicbkZW+I/QX+Y3sACvhibDEawXHZPCzMQxNgk LvBsaM7uAo7HhzoPVQlM32rg3mXX7Nsunv31hw/WjKHI0MW8YfBIPf3o40GGnDcn QRFhzYQY3u+bYKz0qzy1YfQxjvqFBnrJJFC1m9wfZs9dfAjkDb5TDVTKR1y1sEaU g2SrN46OVYEygNqlSTJdcgxcFWSrS1W3yrtBoduP8xqyWePasO3TTHWkNIwfKnPm 0HJAFlU= -----END CERTIFICATE----- subject=/C=DE/ST=NRW/L=Bonn/O=tarent GmbH/OU=IT/CN=dc.lan.tarent.de/[email protected] issuer=/C=DE/ST=NRW/L=Bonn/O=tarent GmbH/OU=IT/CN=Univention Corporate Server Root CA/[email protected] --- No client certificate CA names sent --- SSL handshake has read 2755 bytes and written 424 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: zlib compression Expansion: zlib compression SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: 8C490472FCC8CC171EC84BF3DE01F1350331F3B07609F84A140C60DBEA18ECDD Session-ID-ctx: Master-Key: 97C718741EDBC258C73313979B1992F4FCDC400948A143B6BC68D0C2465CF6CE948BEB22E4013E05595986326BF3657D Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket: 0000 - 30 2c d0 40 e2 10 8a f3-01 23 47 48 d8 f8 0c 68 0,.@.....#GH...h 0010 - 7e e8 47 02 9a 25 b3 17-2f c9 ca 04 1c 4c fa 6c ~.G..%../....L.l 0020 - 95 32 82 57 c6 4c b4 0e-bd 0a 64 fa 06 ab 1f 8b .2.W.L....d..... 0030 - f1 aa f1 43 03 ba 70 67-4d de e6 56 fc 9e 9b ce ...C..pgM..V.... 0040 - c9 90 f5 f3 a5 33 d5 a6-99 a0 e9 8a 3f 12 8e 9d .....3......?... 0050 - 32 86 2f a0 89 a5 a0 30-2f 4b 85 4e d2 ec b4 0a 2./....0/K.N.... 0060 - 92 35 2b ba 12 6f 5c aa-a2 6d e4 b0 c7 5e d8 27 .5+..o\..m...^.' 0070 - 95 cf 22 8d 9a f5 1d 25-f5 a8 7d 22 62 4b b2 70 .."....%..}"bK.p 0080 - c9 e8 7d 86 d3 5b 0b f1-24 34 1c e8 2e 8f f9 ca ..}..[..$4...... 0090 - 70 70 d8 a1 99 49 0b b0-63 5e 13 e6 4a 41 87 70 pp...I..c^..JA.p Compression: 1 (zlib compression) Start Time: 1336645861 Timeout : 300 (sec) Verify return code: 0 (ok) --- QUIT DONE root@foo-test:~ # gnutls-cli -V -d 4711 -p 636 --x509cafile /etc/ssl/certs/ca-c* dc.lan.tarent.de Processed 407 CA certificate(s). Resolving 'dc.lan.tarent.de'... Connecting to '172.26.100.1:636'... |<4>| REC[0x11d0210]: Allocating epoch #0 |<2>| ASSERT: gnutls_constate.c:695 |<4>| REC[0x11d0210]: Allocating epoch #1 |<3>| HSK[0x11d0210]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA1 |<3>| HSK[0x11d0210]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA256 |<3>| HSK[0x11d0210]: Keeping ciphersuite: DHE_RSA_CAMELLIA_128_CBC_SHA1 |<3>| HSK[0x11d0210]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA1 |<3>| HSK[0x11d0210]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA256 |<3>| HSK[0x11d0210]: Keeping ciphersuite: DHE_RSA_CAMELLIA_256_CBC_SHA1 |<3>| HSK[0x11d0210]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1 |<3>| HSK[0x11d0210]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA1 |<3>| HSK[0x11d0210]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA256 |<3>| HSK[0x11d0210]: Keeping ciphersuite: DHE_DSS_CAMELLIA_128_CBC_SHA1 |<3>| HSK[0x11d0210]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA1 |<3>| HSK[0x11d0210]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA256 |<3>| HSK[0x11d0210]: Keeping ciphersuite: DHE_DSS_CAMELLIA_256_CBC_SHA1 |<3>| HSK[0x11d0210]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1 |<3>| HSK[0x11d0210]: Keeping ciphersuite: DHE_DSS_ARCFOUR_SHA1 |<3>| HSK[0x11d0210]: Keeping ciphersuite: RSA_AES_128_CBC_SHA1 |<3>| HSK[0x11d0210]: Keeping ciphersuite: RSA_AES_128_CBC_SHA256 |<3>| HSK[0x11d0210]: Keeping ciphersuite: RSA_CAMELLIA_128_CBC_SHA1 |<3>| HSK[0x11d0210]: Keeping ciphersuite: RSA_AES_256_CBC_SHA1 |<3>| HSK[0x11d0210]: Keeping ciphersuite: RSA_AES_256_CBC_SHA256 |<3>| HSK[0x11d0210]: Keeping ciphersuite: RSA_CAMELLIA_256_CBC_SHA1 |<3>| HSK[0x11d0210]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1 |<3>| HSK[0x11d0210]: Keeping ciphersuite: RSA_ARCFOUR_SHA1 |<3>| HSK[0x11d0210]: Keeping ciphersuite: RSA_ARCFOUR_MD5 |<2>| EXT[0x11d0210]: Sending extension SERVER NAME (21 bytes) |<2>| EXT[0x11d0210]: Sending extension SAFE RENEGOTIATION (1 bytes) |<2>| EXT[0x11d0210]: Sending extension SESSION TICKET (0 bytes) |<2>| EXT[SIGA]: sent signature algo (4.2) DSA-SHA256 |<2>| EXT[SIGA]: sent signature algo (4.1) RSA-SHA256 |<2>| EXT[SIGA]: sent signature algo (2.1) RSA-SHA1 |<2>| EXT[SIGA]: sent signature algo (2.2) DSA-SHA1 |<2>| EXT[0x11d0210]: Sending extension SIGNATURE ALGORITHMS (10 bytes) |<3>| HSK[0x11d0210]: CLIENT HELLO was sent [141 bytes] |<6>| BUF[HSK]: Inserted 141 bytes of Data |<7>| HWRITE: enqueued 141. Total 141 bytes. |<7>| HWRITE FLUSH: 141 bytes in buffer. |<4>| REC[0x11d0210]: Sending Packet[0] Handshake(22) with length: 141 |<7>| WRITE: enqueued 146 bytes for 0x4. Total 146 bytes. |<4>| REC[0x11d0210]: Sent Packet[1] Handshake(22) with length: 146 |<7>| HWRITE: wrote 141 bytes, 0 bytes left. |<7>| WRITE FLUSH: 146 bytes in buffer. |<7>| WRITE: wrote 146 bytes, 0 bytes left. |<7>| READ: Got 5 bytes from 0x4 |<7>| READ: read 5 bytes from 0x4 |<7>| RB: Have 0 bytes into buffer. Adding 5 bytes. |<7>| RB: Requested 5 bytes |<4>| REC[0x11d0210]: Expected Packet[0] Handshake(22) with length: 1 |<4>| REC[0x11d0210]: Received Packet[0] Handshake(22) with length: 53 |<7>| READ: Got 53 bytes from 0x4 |<7>| READ: read 53 bytes from 0x4 |<7>| RB: Have 5 bytes into buffer. Adding 53 bytes. |<7>| RB: Requested 58 bytes |<4>| REC[0x11d0210]: Decrypted Packet[0] Handshake(22) with length: 53 |<6>| BUF[HSK]: Inserted 53 bytes of Data(22) |<6>| BUF[REC][HD]: Read 1 bytes of Data(22) |<6>| BUF[REC][HD]: Read 3 bytes of Data(22) |<3>| HSK[0x11d0210]: SERVER HELLO was received [53 bytes] |<6>| BUF[REC][HD]: Read 49 bytes of Data(22) |<6>| BUF[HSK]: Inserted 4 bytes of Data |<6>| BUF[HSK]: Inserted 49 bytes of Data |<3>| HSK[0x11d0210]: Server's version: 3.1 |<3>| HSK[0x11d0210]: SessionID length: 0 |<3>| HSK[0x11d0210]: SessionID: 00 |<3>| HSK[0x11d0210]: Selected cipher suite: RSA_AES_128_CBC_SHA1 |<2>| EXT[0x11d0210]: Parsing extension 'SAFE RENEGOTIATION/65281' (1 bytes) |<2>| EXT[0x11d0210]: Parsing extension 'SESSION TICKET/35' (0 bytes) |<3>| HSK[0x11d0210]: Safe renegotiation succeeded |<7>| READ: Got 5 bytes from 0x4 |<7>| READ: read 5 bytes from 0x4 |<7>| RB: Have 0 bytes into buffer. Adding 5 bytes. |<7>| RB: Requested 5 bytes |<4>| REC[0x11d0210]: Expected Packet[1] Handshake(22) with length: 1 |<4>| REC[0x11d0210]: Received Packet[1] Handshake(22) with length: 2449 |<7>| READ: Got 2449 bytes from 0x4 |<7>| READ: read 2449 bytes from 0x4 |<7>| RB: Have 5 bytes into buffer. Adding 2449 bytes. |<7>| RB: Requested 2454 bytes |<4>| REC[0x11d0210]: Decrypted Packet[1] Handshake(22) with length: 2449 |<6>| BUF[HSK]: Inserted 2449 bytes of Data(22) |<6>| BUF[REC][HD]: Read 1 bytes of Data(22) |<6>| BUF[REC][HD]: Read 3 bytes of Data(22) |<3>| HSK[0x11d0210]: CERTIFICATE was received [2449 bytes] |<6>| BUF[REC][HD]: Read 2445 bytes of Data(22) |<6>| BUF[HSK]: Peeked 194 bytes of Data |<6>| BUF[HSK]: Emptied buffer |<6>| BUF[HSK]: Inserted 4 bytes of Data |<6>| BUF[HSK]: Inserted 2445 bytes of Data |<2>| ASSERT: ext_signature.c:388 |<2>| ASSERT: ext_signature.c:388 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: mpi.c:609 |<2>| ASSERT: gnutls_pk.c:266 |<2>| ASSERT: verify.c:730 |<2>| ASSERT: verify.c:857 |<2>| ASSERT: verify.c:1011 |<2>| ASSERT: verify.c:373 |<2>| ASSERT: dn.c:1209 |<2>| ASSERT: verify.c:552 *** Verifying server certificate failed... |<2>| ASSERT: gnutls_kx.c:705 |<2>| ASSERT: gnutls_handshake.c:2777 |<6>| BUF[HSK]: Cleared Data from buffer *** Fatal error: Error in the certificate. |<4>| REC: Sending Alert[2|42] - Certificate is bad |<4>| REC[0x11d0210]: Sending Packet[1] Alert(21) with length: 2 |<7>| WRITE: enqueued 7 bytes for 0x4. Total 7 bytes. |<7>| WRITE FLUSH: 7 bytes in buffer. |<7>| WRITE: wrote 7 bytes, 0 bytes left. |<4>| REC[0x11d0210]: Sent Packet[2] Alert(21) with length: 7 *** Handshake has failed GnuTLS error: Error in the certificate. |<6>| BUF[HSK]: Cleared Data from buffer |<4>| REC[0x11d0210]: Epoch #0 freed |<4>| REC[0x11d0210]: Epoch #1 freed Versions: # dpkg-query -W gnutls-bin libgnutls2{6,8} gnutls-bin 3.0.11+really2.12.14-5ubuntu3 libgnutls26 2.12.14-5ubuntu3 No packages found matching libgnutls28. Debian sid for comparison has: root@tglase-amd64:~ # dpkg-query -W gnutls-bin libgnutls2{6,8} gnutls-bin 3.0.19-2 libgnutls26:amd64 2.12.19-1 libgnutls28:amd64 3.0.19-2 root@tglase-amd64:~ # gnutls-cli -V -p 636 --x509cafile /etc/ssl/certs/ca-c* dc.lan.tarent.de Processed 407 CA certificate(s). Resolving 'dc.lan.tarent.de'... Connecting to '172.26.100.1:636'... - Peer's certificate is trusted - The hostname in the certificate matches 'dc.lan.tarent.de'. - Session ID: 4F:07:04:93:B6:2A:AB:BA:CF:3A:6F:D0:78:DB:17:91:CF:4F:09:3F:58:98:19:DA:89:A0:CB:C6:93:E9:FC:36 - Certificate type: X.509 - Got a certificate list of 2 certificates. - Certificate[0] info: - X.509 Certificate Information: Version: 3 Serial Number (hex): 01 Issuer: C=DE,ST=NRW,L=Bonn,O=tarent GmbH,OU=IT,CN=Univention Corporate Server Root CA,[email protected] Validity: Not Before: Mon Feb 07 10:24:29 UTC 2011 Not After: Sat Feb 06 10:24:29 UTC 2016 Subject: C=DE,ST=NRW,L=Bonn,O=tarent GmbH,OU=IT,CN=dc.lan.tarent.de,[email protected] Subject Public Key Algorithm: RSA Certificate Security Level: Low (1024 bits) Modulus (bits 1024): 00:b7:9c:d6:48:f1:e9:e6:c7:0d:68:cd:67:8e:c3:14 29:3d:d6:83:11:d0:95:3b:75:62:9d:0d:c2:67:5f:83 69:20:29:57:7d:89:9f:4f:99:54:d6:72:1d:11:59:1a 1b:db:ea:00:48:2f:d6:d5:c6:56:1e:fc:cb:91:c4:36 f8:cc:a2:a9:dd:34:ad:2f:66:eb:89:fa:1b:a8:57:9a 0b:75:f1:da:0c:a7:d0:f4:73:3d:cf:24:1e:75:95:6f bb:7f:c1:65:12:36:64:eb:ac:b7:14:2b:6d:99:3f:05 b6:36:cc:41:99:fa:fb:52:89:46:94:83:2d:ac:34:13 ef Exponent (bits 24): 01:00:01 Extensions: Basic Constraints (not critical): Certificate Authority (CA): FALSE Subject Key Identifier (not critical): 85f8172fa622f26215c5da9092a64ba77e007fa6 Authority Key Identifier (not critical): 619b65ad7b77255a9ba408325077492ad6dd1d76 Signature Algorithm: RSA-SHA1 Signature: 23:36:68:08:39:7c:20:6e:71:37:97:44:bc:bb:b6:af 30:6f:7d:e7:90:fb:3d:02:2d:88:c9:44:a4:76:4e:65 21:aa:cd:6a:92:80:a5:86:4a:9d:7e:dc:5a:ba:4d:88 67:a3:1b:a9:4b:c9:85:f0:4b:da:28:41:0b:3d:e1:29 cb:b7:7e:7c:de:c2:fe:55:3c:52:4f:75:e3:e2:c4:22 71:b9:19:5b:e2:3f:41:7f:98:de:c0:02:be:18:9b:0c 46:b0:5c:76:4f:0b:33:10:c4:d8:24:2e:f0:6c:68:ce ee:02:8e:c7:87:3a:0f:55:09:4c:df:6a:e0:de:65:d7 ec:db:2e:9e:fd:f5:87:0f:d6:8c:a1:c8:d0:c5:bc:61 f0:48:3d:fd:e8:e3:41:86:9c:37:27:41:11:61:cd:84 18:de:ef:9b:60:ac:f4:ab:3c:b5:61:f4:31:8e:fa:85 06:7a:c9:24:50:b5:9b:dc:1f:66:cf:5d:7c:08:e4:0d be:53:0d:54:ca:47:5c:b5:b0:46:94:83:64:ab:37:8e 8e:55:81:32:80:da:a5:49:32:5d:72:0c:5c:15:64:ab 4b:55:b7:ca:bb:41:a1:db:8f:f3:1a:b2:59:e3:da:b0 ed:d3:4c:75:a4:34:8c:1f:2a:73:e6:d0:72:40:16:55 Other Information: SHA-1 fingerprint: c11f5038e915c4cdf36743bc39b62ff60be8fdbf Public Key Id: d7b3d676cb339e976809b438a12e7bf0f30c5ba5 Public key's random art: +--[ RSA 1024]----+ | | | | | | | . o | | S =.+ | | . . +oo + | | +. E. + = o| | . == . =.=+| | .+.oo . .=+| +-----------------+ -----BEGIN CERTIFICATE----- MIIEITCCAwmgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBnDELMAkGA1UEBhMCREUx DDAKBgNVBAgTA05SVzENMAsGA1UEBxMEQm9ubjEUMBIGA1UEChMLdGFyZW50IEdt YkgxCzAJBgNVBAsTAklUMSwwKgYDVQQDEyNVbml2ZW50aW9uIENvcnBvcmF0ZSBT ZXJ2ZXIgUm9vdCBDQTEfMB0GCSqGSIb3DQEJARYQYWRtaW5zQHRhcmVudC5kZTAe Fw0xMTAyMDcxMDI0MjlaFw0xNjAyMDYxMDI0MjlaMIGJMQswCQYDVQQGEwJERTEM MAoGA1UECBMDTlJXMQ0wCwYDVQQHEwRCb25uMRQwEgYDVQQKEwt0YXJlbnQgR21i SDELMAkGA1UECxMCSVQxGTAXBgNVBAMTEGRjLmxhbi50YXJlbnQuZGUxHzAdBgkq hkiG9w0BCQEWEGFkbWluc0B0YXJlbnQuZGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0A MIGJAoGBALec1kjx6ebHDWjNZ47DFCk91oMR0JU7dWKdDcJnX4NpIClXfYmfT5lU 1nIdEVkaG9vqAEgv1tXGVh78y5HENvjMoqndNK0vZuuJ+huoV5oLdfHaDKfQ9HM9 zyQedZVvu3/BZRI2ZOustxQrbZk/BbY2zEGZ+vtSiUaUgy2sNBPvAgMBAAGjggEB MIH+MAkGA1UdEwQCMAAwHQYDVR0OBBYEFIX4Fy+mIvJiFcXakJKmS6d+AH+mMIHR BgNVHSMEgckwgcaAFGGbZa17dyVam6QIMlB3SSrW3R12oYGipIGfMIGcMQswCQYD VQQGEwJERTEMMAoGA1UECBMDTlJXMQ0wCwYDVQQHEwRCb25uMRQwEgYDVQQKEwt0 YXJlbnQgR21iSDELMAkGA1UECxMCSVQxLDAqBgNVBAMTI1VuaXZlbnRpb24gQ29y cG9yYXRlIFNlcnZlciBSb290IENBMR8wHQYJKoZIhvcNAQkBFhBhZG1pbnNAdGFy ZW50LmRlggkAnXueqx7HokkwDQYJKoZIhvcNAQEFBQADggEBACM2aAg5fCBucTeX RLy7tq8wb33nkPs9Ai2IyUSkdk5lIarNapKApYZKnX7cWrpNiGejG6lLyYXwS9oo QQs94SnLt3583sL+VTxST3Xj4sQicbkZW+I/QX+Y3sACvhibDEawXHZPCzMQxNgk LvBsaM7uAo7HhzoPVQlM32rg3mXX7Nsunv31hw/WjKHI0MW8YfBIPf3o40GGnDcn QRFhzYQY3u+bYKz0qzy1YfQxjvqFBnrJJFC1m9wfZs9dfAjkDb5TDVTKR1y1sEaU g2SrN46OVYEygNqlSTJdcgxcFWSrS1W3yrtBoduP8xqyWePasO3TTHWkNIwfKnPm 0HJAFlU= -----END CERTIFICATE----- - Certificate[1] info: - X.509 Certificate Information: Version: 3 Serial Number (hex): 009d7b9eab1ec7a249 Issuer: C=DE,ST=NRW,L=Bonn,O=tarent GmbH,OU=IT,CN=Univention Corporate Server Root CA,[email protected] Validity: Not Before: Mon Feb 07 10:24:29 UTC 2011 Not After: Wed Feb 06 10:24:29 UTC 2013 Subject: C=DE,ST=NRW,L=Bonn,O=tarent GmbH,OU=IT,CN=Univention Corporate Server Root CA,[email protected] Subject Public Key Algorithm: RSA Certificate Security Level: Legacy (2048 bits) Modulus (bits 2048): 00:b1:86:75:49:51:8c:0d:19:f4:f5:1d:9e:63:c1:0b 01:04:df:ba:dc:05:bc:49:4e:6c:21:de:7b:2c:a5:dd bf:89:bd:2f:8e:a6:e1:6a:61:aa:4c:e0:1e:c4:48:5e 04:45:33:b9:d8:1f:99:ab:46:72:f4:42:f7:5a:4a:0d ec:a6:78:2d:1c:64:63:97:8a:16:90:80:36:9e:30:ac a0:c1:91:56:e4:6e:ea:38:9d:dd:de:30:a7:e5:6f:40 71:91:90:38:6d:4e:c8:1a:f7:ed:59:6a:b8:96:bf:54 3b:0e:6f:98:61:94:ab:1b:58:4d:db:78:a8:19:38:ea 4e:b6:1c:0b:6d:b3:76:1a:4e:80:c7:68:9b:0b:e3:81 5a:14:5d:ea:61:b5:a1:9d:b1:ec:d8:b7:37:f7:a4:01 d3:13:b7:88:3f:08:9a:43:de:2d:30:f3:ad:60:d3:09 36:b7:08:7e:d6:cf:04:9b:bd:45:ac:55:8f:0b:bc:49 ca:3f:e7:c8:2a:42:3a:05:d5:dd:07:77:10:c2:07:ca a2:2a:2e:84:a9:6b:b3:b0:f8:79:25:8e:bc:b5:c1:d7 c2:1c:d7:0a:41:b0:55:4f:d0:44:50:d2:15:75:5b:21 dd:a5:24:82:a9:99:63:8b:8d:d5:7d:71:19:31:62:e4 f7 Exponent (bits 24): 01:00:01 Extensions: Basic Constraints (critical): Certificate Authority (CA): TRUE Subject Key Identifier (not critical): 619b65ad7b77255a9ba408325077492ad6dd1d76 Authority Key Identifier (not critical): 619b65ad7b77255a9ba408325077492ad6dd1d76 Key Usage (not critical): Certificate signing. CRL signing. Unknown extension 2.16.840.1.113730.1.1 (not critical): ASCII: .... Hexdump: 03020007 Subject Alternative Name (not critical): RFC822name: [email protected] Issuer Alternative Name (not critical): RFC822name: [email protected] Unknown extension 2.16.840.1.113730.1.13 (not critical): ASCII: .)This certificate is a Root CA Certificate Hexdump: 162954686973206365727469666963617465206973206120526f6f74204341204365727469666963617465 Signature Algorithm: RSA-SHA1 Signature: 5b:a1:a8:ec:95:0a:95:40:ed:da:55:79:bb:75:9e:0d 1c:73:dd:dc:e7:79:17:00:57:d7:08:a7:1b:7b:45:f3 e3:7d:41:80:e1:49:4b:34:a1:cc:91:e1:e3:db:20:d9 1f:01:8a:bc:74:10:40:6a:2a:c4:9c:05:d6:1a:27:c0 da:83:81:0e:34:f7:f4:04:c5:68:38:c1:67:74:44:ab 28:ee:a7:54:32:d7:1c:95:eb:90:a6:b9:46:d1:96:05 99:8b:f0:d2:a3:05:43:82:3c:a1:e3:9d:52:b5:94:65 df:df:9d:88:b5:d7:7b:1e:71:28:1e:a1:b2:80:2b:80 57:59:57:e9:3f:10:78:01:45:54:cf:11:3c:6d:3e:ab 50:59:3b:11:82:9a:a8:ad:ca:5a:8f:4a:e2:0c:40:da 84:9f:bc:14:41:31:f7:ec:13:4d:48:b5:1e:96:65:3b 1d:58:49:70:cf:04:f8:57:d3:7e:a3:3a:45:4f:05:78 12:20:a5:b8:3a:5e:d8:17:b1:4c:37:fc:16:4e:d0:3e b8:ef:18:7d:ed:b2:17:c5:a6:d8:c1:34:84:34:b1:bf a9:67:f9:fc:82:20:96:6f:39:86:3b:bd:bd:98:52:a1 e8:3d:6f:cb:1d:ff:f0:36:a6:c2:bf:72:3c:9b:65:21 Other Information: SHA-1 fingerprint: 6da9e3f7bcea0df189a7f599599bc253517a57fc Public Key Id: 2c1c29def291b0232e96889b4404cdc2cafb5997 Public key's random art: +--[ RSA 2048]----+ |oo | |o.o . | |oo o o | |o. . * + | | .o = * S | |+o.. = E | |++o o o | |o+ o | |o | +-----------------+ -----BEGIN CERTIFICATE----- MIIFWzCCBEOgAwIBAgIJAJ17nqsex6JJMA0GCSqGSIb3DQEBBQUAMIGcMQswCQYD VQQGEwJERTEMMAoGA1UECBMDTlJXMQ0wCwYDVQQHEwRCb25uMRQwEgYDVQQKEwt0 YXJlbnQgR21iSDELMAkGA1UECxMCSVQxLDAqBgNVBAMTI1VuaXZlbnRpb24gQ29y cG9yYXRlIFNlcnZlciBSb290IENBMR8wHQYJKoZIhvcNAQkBFhBhZG1pbnNAdGFy ZW50LmRlMB4XDTExMDIwNzEwMjQyOVoXDTEzMDIwNjEwMjQyOVowgZwxCzAJBgNV BAYTAkRFMQwwCgYDVQQIEwNOUlcxDTALBgNVBAcTBEJvbm4xFDASBgNVBAoTC3Rh cmVudCBHbWJIMQswCQYDVQQLEwJJVDEsMCoGA1UEAxMjVW5pdmVudGlvbiBDb3Jw b3JhdGUgU2VydmVyIFJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGFkbWluc0B0YXJl bnQuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCxhnVJUYwNGfT1 HZ5jwQsBBN+63AW8SU5sId57LKXdv4m9L46m4WphqkzgHsRIXgRFM7nYH5mrRnL0 QvdaSg3spngtHGRjl4oWkIA2njCsoMGRVuRu6jid3d4wp+VvQHGRkDhtTsga9+1Z ariWv1Q7Dm+YYZSrG1hN23ioGTjqTrYcC22zdhpOgMdomwvjgVoUXephtaGdsezY tzf3pAHTE7eIPwiaQ94tMPOtYNMJNrcIftbPBJu9RaxVjwu8Sco/58gqQjoF1d0H dxDCB8qiKi6EqWuzsPh5JY68tcHXwhzXCkGwVU/QRFDSFXVbId2lJIKpmWOLjdV9 cRkxYuT3AgMBAAGjggGcMIIBmDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRh m2Wte3clWpukCDJQd0kq1t0ddjCB0QYDVR0jBIHJMIHGgBRhm2Wte3clWpukCDJQ d0kq1t0ddqGBoqSBnzCBnDELMAkGA1UEBhMCREUxDDAKBgNVBAgTA05SVzENMAsG A1UEBxMEQm9ubjEUMBIGA1UEChMLdGFyZW50IEdtYkgxCzAJBgNVBAsTAklUMSww KgYDVQQDEyNVbml2ZW50aW9uIENvcnBvcmF0ZSBTZXJ2ZXIgUm9vdCBDQTEfMB0G CSqGSIb3DQEJARYQYWRtaW5zQHRhcmVudC5kZYIJAJ17nqsex6JJMAsGA1UdDwQE AwIBBjARBglghkgBhvhCAQEEBAMCAAcwGwYDVR0RBBQwEoEQYWRtaW5zQHRhcmVu dC5kZTAbBgNVHRIEFDASgRBhZG1pbnNAdGFyZW50LmRlMDgGCWCGSAGG+EIBDQQr FilUaGlzIGNlcnRpZmljYXRlIGlzIGEgUm9vdCBDQSBDZXJ0aWZpY2F0ZTANBgkq hkiG9w0BAQUFAAOCAQEAW6Go7JUKlUDt2lV5u3WeDRxz3dzneRcAV9cIpxt7RfPj fUGA4UlLNKHMkeHj2yDZHwGKvHQQQGoqxJwF1honwNqDgQ409/QExWg4wWd0RKso 7qdUMtccleuQprlG0ZYFmYvw0qMFQ4I8oeOdUrWUZd/fnYi113secSgeobKAK4BX WVfpPxB4AUVUzxE8bT6rUFk7EYKaqK3KWo9K4gxA2oSfvBRBMffsE01ItR6WZTsd WElwzwT4V9N+ozpFTwV4EiCluDpe2BexTDf8Fk7QPrjvGH3tshfFptjBNIQ0sb+p Z/n8giCWbzmGO729mFKh6D1vyx3/8Damwr9yPJtlIQ== -----END CERTIFICATE----- - Version: TLS1.0 - Key Exchange: RSA - Cipher: AES-128-CBC - MAC: SHA1 - Compression: NULL - Channel binding 'tls-unique': a22ef1b76eb9f8b5cd08e865 - Handshake was completed - Simple Client Mode: [ cursor here ] Any ideas welcome. The certificates (CA and LDAP server) are autogenerated by some Univention scripts, in case someone needs to know. Thanks in advance, //mirabilos (also [email protected]) -- tarent solutions GmbH Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/ Tel: +49 228 54881-393 • Fax: +49 228 54881-314 HRB AG Bonn 5168 • USt-ID (VAT): DE122264941 Geschäftsführer: Boris Esser, Elmar Geese _______________________________________________ Help-gnutls mailing list [email protected] https://lists.gnu.org/mailman/listinfo/help-gnutls
