[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5992) libldap with gnutls don't trust V1 CAs.

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#5992) libldap with gnutls don't trust V1 CAs.
From: mathiaz@ubuntu.com
Date: Fri, 6 Mar 2009 22:45:53 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

On Wed, Mar 04, 2009 at 07:01:16PM -0800, Howard Chu wrote:
> mathias.gug@canonical.com wrote:
>> Starting with GnuTLS 2.6.3, V1 CA certs are no longer trusted by default when a
>> CA chain is checked. Thus libldap+gnutls breaks in existing environement when
>> one of the CA certs uses a V1 certificate. However libldap+openssl still
>> supports V1 certificates in the CA chain.
>>
>> See https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/305264 for more
>> information.
>>
>> Could libldap+gnutls be updated to also support V1 CA certificates to match
>> features provided by libldap+openssl?
>
> Just to be clear, are you requesting that libldap unconditionally call
> gnutls_certificate_set_verify_flags() with 
> GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT parameter?

Yes. The patch pushed in CVS works as expected. 

I agree that having an option to enable/disable the trust of V1 CA
certificates would be helpful.

-- 
Mathias Gug
Ubuntu Developer  http://www.ubuntu.com

Prev by Date: (ITS#6006) slapcat data invalid when using glued dbs
Next by Date: Re: (ITS#5991) slapd+gnutls doesn't send all of the CA certs available in the certficate chain while slapd+openssl does
Index(es):
- Chronological
- Thread