[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#5992) libldap with gnutls don't trust V1 CAs.



Full_Name: Mathias Gug
Version: 2.4.15
OS: Ubuntu Linux (Jaunty - 9.04)
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (64.56.226.136)


Starting with GnuTLS 2.6.3, V1 CA certs are no longer trusted by default when a
CA chain is checked. Thus libldap+gnutls breaks in existing environement when
one of the CA certs uses a V1 certificate. However libldap+openssl still
supports V1 certificates in the CA chain.

See https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/305264 for more
information.

Could libldap+gnutls be updated to also support V1 CA certificates to match
features provided by libldap+openssl?

To reproduce:

0. Need two versions of openldap : one compiled with gnutls, the other with
openssl.

1. Create a V1 CA.
2. Create a certificate to be used by slapd and sign it with the V1 CA.
3. Configure a slapd+openssl system with certificates issues above.
4. Try to connect to the slapd+openssl system with a libldap+gnutls client:

mathiaz@t-slapd-gnutls:~$ ldapsearch -b "dc=vmnet" -D "cn=admin,dc=vmnet" -x -w
mypwd -H ldaps://t-slapd-openssl./ -d 1
ldap_url_parse_ext(ldaps://t-slapd-openssl./)
ldap_create
ldap_url_parse_ext(ldaps://t-slapd-openssl.:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP t-slapd-openssl.:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 172.19.42.220:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: peer cert untrusted or revoked (0x82)
TLS: can't connect: (unknown error code).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

On a system with libldap+openssl:

mathiaz@t-slapd-openssl:~$ ldapsearch -b "dc=vmnet" -D "cn=admin,dc=vmnet" -x -w
mypwd -H ldaps://t-slapd-openssl./ 
# extended LDIF
#
# LDAPv3
# base <dc=vmnet> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# vmnet
dn: dc=vmnet
objectClass: top
objectClass: dcObject
objectClass: organization
o: vmnet
dc: vmnet

# admin, vmnet
dn: cn=admin,dc=vmnet
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: e2NyeXB0fWtlVHlnV1lleFBDWFU=

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2

$

ldapsearch is able to connect to the slapd+openssl server.