[Date Prev][Date Next]
Re: (ITS#5992) libldap with gnutls don't trust V1 CAs.
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#5992) libldap with gnutls don't trust V1 CAs.
- From: firstname.lastname@example.org
- Date: Thu, 5 Mar 2009 03:01:36 GMT
- Auto-submitted: auto-generated (OpenLDAP-ITS)
> Full_Name: Mathias Gug
> Version: 2.4.15
> OS: Ubuntu Linux (Jaunty - 9.04)
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (188.8.131.52)
> Starting with GnuTLS 2.6.3, V1 CA certs are no longer trusted by default when a
> CA chain is checked. Thus libldap+gnutls breaks in existing environement when
> one of the CA certs uses a V1 certificate. However libldap+openssl still
> supports V1 certificates in the CA chain.
> See https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/305264 for more
> Could libldap+gnutls be updated to also support V1 CA certificates to match
> features provided by libldap+openssl?
Just to be clear, are you requesting that libldap unconditionally call
gnutls_certificate_set_verify_flags() with GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/