[Date Prev][Date Next] [Chronological] [Thread] [Top]

Accursed LDAP+SSL Breakage When Using libgcrypt

To: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: Accursed LDAP+SSL Breakage When Using libgcrypt
From: Ken Stailey <kstailey@yahoo.com>
Date: Sun, 5 Feb 2012 09:45:18 -0800 (PST)
Cc: DC Ubuntu <Ubuntu-us-dc@lists.ubuntu.com>
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1328463918; bh=F/vbAb8wxK8DNO4Q9dwGBvxDzYAkke+zKz4VPpge1GY=; h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Reply-To:Subject:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding; b=1nZ72+S0eY8qODwnWYHnxDoLefVhhc5VAh4KHdSEjJnNy7Z56bV2X0ecl1Zj8jYHRRodNkGj/0fYWSGpfDRC1zvinyi5dIlGNWzxn+pWJNYNhUhqa54rdPR+n8iOn/gOcAowhJti8YsqOC21p3u+UPPEKbZmHx+5s8W5254BV2U=
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Reply-To:Subject:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding; b=KwI35NXN6GrmPClJhto0okcZO3ops/vyG/UHTvIpTD8hqn1/A4ADwa5WXnbMP8mFmyJBOS1RFdrUWwoXYfyP/lGHe1FAiSfe/3wiuE5UV1UfPRB4u0nCnfRmg0s/z8jQe24zyfI+ng4qQ0+1U7X9OyRP8fUAe30jbq0yYGMwa6s=;

Hi,

I abandoned any efforts to get anyone to hack the broken libgcrypt11
 so that it would stop dropping setuid permissions.  This was motivated
 largely by the fact that upstream GnuTLS started releasing versions
 that were intended to stop using libcrypt as the crypto back-end along
 with support for multiple crypto back-ends.  The preferred crypto library
 for GnuTLS is nettle now.  This change requires a minimum of
 GnuTLS 2.11.x and Ubuntu 12.04 is using GnuTLS 2.12.x.

There were miscellaneous announcements made about this change:

Andreas Metzler
http://lists.debian.org/debian-legal/2011/02/msg00006.html
{{ GnuTLS upstream has added support for different crypto backends in
2.11.x and has chosen nettle as prefered [sic] backend (2.10.x is using
libgcrypt). }}

It works for me, when I configure GnuTLS on Ubuntu 12.04 to use
nettle the painful regression goes away and I can use setuid
binaries from an LDAP account configured to access an LDAP
server via SSL.

To test on Ubuntu 12.04 or Debian Testing or Unstable simply:

apt-get build-dep libgnutls26

apt-get source gnutls26
to fetch the source for gnutls26-2.12.14 (or 2.12.16-1 on Debian)

then chop out
--with-libgcrypt
from the debian/rules file
and rebuild gnutls26
debuild -i -uc -us -b
and install the resulting .deb files.

Much to my chagrin, upstream Debian still configures GnuTLS to use
the horribly defective and rejected-by-upstream libgcrypt11 instead
of the preferred-by-upstream nettle despite both Debian Testing
and Debian Unstable having GnuTLS 2.12.16-1

$ grep with-libgcrypt sid/gnutls26-2.12.16/debian/rules 
    --cache-file=$(CURDIR)/config.cache --with-libgcrypt \

So I opened two bug reports:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=658739

https://bugs.launchpad.net/bugs/926350

Hope that helps.

Prev by Date: Re: Using NSS
Next by Date: Re: How do I reset rootdn password?
Index(es):
- Chronological
- Thread