Full_Name: Mathias Gug Version: 2.4.15 OS: Ubuntu Linux (Jaunty - 9.04) URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (64.56.226.136) Starting with GnuTLS 2.6.3, V1 CA certs are no longer trusted by default when a CA chain is checked. Thus libldap+gnutls breaks in existing environement when one of the CA certs uses a V1 certificate. However libldap+openssl still supports V1 certificates in the CA chain. See https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/305264 for more information. Could libldap+gnutls be updated to also support V1 CA certificates to match features provided by libldap+openssl? To reproduce: 0. Need two versions of openldap : one compiled with gnutls, the other with openssl. 1. Create a V1 CA. 2. Create a certificate to be used by slapd and sign it with the V1 CA. 3. Configure a slapd+openssl system with certificates issues above. 4. Try to connect to the slapd+openssl system with a libldap+gnutls client: mathiaz@t-slapd-gnutls:~$ ldapsearch -b "dc=vmnet" -D "cn=admin,dc=vmnet" -x -w mypwd -H ldaps://t-slapd-openssl./ -d 1 ldap_url_parse_ext(ldaps://t-slapd-openssl./) ldap_create ldap_url_parse_ext(ldaps://t-slapd-openssl.:636/??base) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP t-slapd-openssl.:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 172.19.42.220:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 TLS: peer cert untrusted or revoked (0x82) TLS: can't connect: (unknown error code). ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) On a system with libldap+openssl: mathiaz@t-slapd-openssl:~$ ldapsearch -b "dc=vmnet" -D "cn=admin,dc=vmnet" -x -w mypwd -H ldaps://t-slapd-openssl./ # extended LDIF # # LDAPv3 # base <dc=vmnet> with scope subtree # filter: (objectclass=*) # requesting: ALL # # vmnet dn: dc=vmnet objectClass: top objectClass: dcObject objectClass: organization o: vmnet dc: vmnet # admin, vmnet dn: cn=admin,dc=vmnet objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator userPassword:: e2NyeXB0fWtlVHlnV1lleFBDWFU= # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 $ ldapsearch is able to connect to the slapd+openssl server.
mathias.gug@canonical.com wrote: > Full_Name: Mathias Gug > Version: 2.4.15 > OS: Ubuntu Linux (Jaunty - 9.04) > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (64.56.226.136) > > > Starting with GnuTLS 2.6.3, V1 CA certs are no longer trusted by default when a > CA chain is checked. Thus libldap+gnutls breaks in existing environement when > one of the CA certs uses a V1 certificate. However libldap+openssl still > supports V1 certificates in the CA chain. > > See https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/305264 for more > information. > > Could libldap+gnutls be updated to also support V1 CA certificates to match > features provided by libldap+openssl? Just to be clear, are you requesting that libldap unconditionally call gnutls_certificate_set_verify_flags() with GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT parameter? -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
changed notes changed state Open to Test moved from Incoming to Software Bugs
changed notes changed state Test to Release
On Wed, Mar 04, 2009 at 07:01:16PM -0800, Howard Chu wrote: > mathias.gug@canonical.com wrote: >> Starting with GnuTLS 2.6.3, V1 CA certs are no longer trusted by default when a >> CA chain is checked. Thus libldap+gnutls breaks in existing environement when >> one of the CA certs uses a V1 certificate. However libldap+openssl still >> supports V1 certificates in the CA chain. >> >> See https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/305264 for more >> information. >> >> Could libldap+gnutls be updated to also support V1 CA certificates to match >> features provided by libldap+openssl? > > Just to be clear, are you requesting that libldap unconditionally call > gnutls_certificate_set_verify_flags() with > GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT parameter? Yes. The patch pushed in CVS works as expected. I agree that having an option to enable/disable the trust of V1 CA certificates would be helpful. -- Mathias Gug Ubuntu Developer http://www.ubuntu.com
changed notes changed state Release to Closed
fixed in HEAD fixed in RE24