Issue 5992 - libldap with gnutls don't trust V1 CAs.
Summary: libldap with gnutls don't trust V1 CAs.
Status: VERIFIED FIXED
Alias: None
Product: OpenLDAP
Classification: Unclassified
Component: slapd (show other issues)
Version: 2.4.15
Hardware: All All
: --- normal
Target Milestone: ---
Assignee: OpenLDAP project
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-03-04 23:20 UTC by mathias.gug@canonical.com
Modified: 2014-08-01 21:04 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.
Description mathias.gug@canonical.com 2009-03-04 23:20:59 UTC 
Full_Name: Mathias Gug
Version: 2.4.15
OS: Ubuntu Linux (Jaunty - 9.04)
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (64.56.226.136)


Starting with GnuTLS 2.6.3, V1 CA certs are no longer trusted by default when a
CA chain is checked. Thus libldap+gnutls breaks in existing environement when
one of the CA certs uses a V1 certificate. However libldap+openssl still
supports V1 certificates in the CA chain.

See https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/305264 for more
information.

Could libldap+gnutls be updated to also support V1 CA certificates to match
features provided by libldap+openssl?

To reproduce:

0. Need two versions of openldap : one compiled with gnutls, the other with
openssl.

1. Create a V1 CA.
2. Create a certificate to be used by slapd and sign it with the V1 CA.
3. Configure a slapd+openssl system with certificates issues above.
4. Try to connect to the slapd+openssl system with a libldap+gnutls client:

mathiaz@t-slapd-gnutls:~$ ldapsearch -b "dc=vmnet" -D "cn=admin,dc=vmnet" -x -w
mypwd -H ldaps://t-slapd-openssl./ -d 1
ldap_url_parse_ext(ldaps://t-slapd-openssl./)
ldap_create
ldap_url_parse_ext(ldaps://t-slapd-openssl.:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP t-slapd-openssl.:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 172.19.42.220:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: peer cert untrusted or revoked (0x82)
TLS: can't connect: (unknown error code).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

On a system with libldap+openssl:

mathiaz@t-slapd-openssl:~$ ldapsearch -b "dc=vmnet" -D "cn=admin,dc=vmnet" -x -w
mypwd -H ldaps://t-slapd-openssl./ 
# extended LDIF
#
# LDAPv3
# base <dc=vmnet> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# vmnet
dn: dc=vmnet
objectClass: top
objectClass: dcObject
objectClass: organization
o: vmnet
dc: vmnet

# admin, vmnet
dn: cn=admin,dc=vmnet
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: e2NyeXB0fWtlVHlnV1lleFBDWFU=

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2

$

ldapsearch is able to connect to the slapd+openssl server.
Comment 1 Howard Chu 2009-03-05 03:01:16 UTC 
mathias.gug@canonical.com wrote:
> Full_Name: Mathias Gug
> Version: 2.4.15
> OS: Ubuntu Linux (Jaunty - 9.04)
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (64.56.226.136)
>
>
> Starting with GnuTLS 2.6.3, V1 CA certs are no longer trusted by default when a
> CA chain is checked. Thus libldap+gnutls breaks in existing environement when
> one of the CA certs uses a V1 certificate. However libldap+openssl still
> supports V1 certificates in the CA chain.
>
> See https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/305264 for more
> information.
>
> Could libldap+gnutls be updated to also support V1 CA certificates to match
> features provided by libldap+openssl?

Just to be clear, are you requesting that libldap unconditionally call
gnutls_certificate_set_verify_flags() with GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT 
parameter?

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/
Comment 2 Howard Chu 2009-03-05 07:05:44 UTC 
changed notes
changed state Open to Test
moved from Incoming to Software Bugs
Comment 3 Quanah Gibson-Mount 2009-03-05 20:03:59 UTC 
changed notes
changed state Test to Release
Comment 4 Mathias Gug 2009-03-06 22:45:14 UTC 
On Wed, Mar 04, 2009 at 07:01:16PM -0800, Howard Chu wrote:
> mathias.gug@canonical.com wrote:
>> Starting with GnuTLS 2.6.3, V1 CA certs are no longer trusted by default when a
>> CA chain is checked. Thus libldap+gnutls breaks in existing environement when
>> one of the CA certs uses a V1 certificate. However libldap+openssl still
>> supports V1 certificates in the CA chain.
>>
>> See https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/305264 for more
>> information.
>>
>> Could libldap+gnutls be updated to also support V1 CA certificates to match
>> features provided by libldap+openssl?
>
> Just to be clear, are you requesting that libldap unconditionally call
> gnutls_certificate_set_verify_flags() with 
> GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT parameter?

Yes. The patch pushed in CVS works as expected. 

I agree that having an option to enable/disable the trust of V1 CA
certificates would be helpful.

-- 
Mathias Gug
Ubuntu Developer  http://www.ubuntu.com
Comment 5 Quanah Gibson-Mount 2009-04-06 08:03:28 UTC 
changed notes
changed state Release to Closed
Comment 6 OpenLDAP project 2014-08-01 21:04:20 UTC 
fixed in HEAD
fixed in RE24