[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5992) libldap with gnutls don't trust V1 CAs.

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#5992) libldap with gnutls don't trust V1 CAs.
From: hyc@symas.com
Date: Thu, 5 Mar 2009 03:01:36 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

mathias.gug@canonical.com wrote:
> Full_Name: Mathias Gug
> Version: 2.4.15
> OS: Ubuntu Linux (Jaunty - 9.04)
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (64.56.226.136)
>
>
> Starting with GnuTLS 2.6.3, V1 CA certs are no longer trusted by default when a
> CA chain is checked. Thus libldap+gnutls breaks in existing environement when
> one of the CA certs uses a V1 certificate. However libldap+openssl still
> supports V1 certificates in the CA chain.
>
> See https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/305264 for more
> information.
>
> Could libldap+gnutls be updated to also support V1 CA certificates to match
> features provided by libldap+openssl?

Just to be clear, are you requesting that libldap unconditionally call
gnutls_certificate_set_verify_flags() with GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT 
parameter?

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Prev by Date: (ITS#5998) jitterbug
Next by Date: Re: (ITS#5998) jitterbug
Index(es):
- Chronological
- Thread