[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5992) libldap with gnutls don't trust V1 CAs.

mathias.gug@canonical.com wrote:
> Full_Name: Mathias Gug
> Version: 2.4.15
> OS: Ubuntu Linux (Jaunty - 9.04)
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (
> Starting with GnuTLS 2.6.3, V1 CA certs are no longer trusted by default when a
> CA chain is checked. Thus libldap+gnutls breaks in existing environement when
> one of the CA certs uses a V1 certificate. However libldap+openssl still
> supports V1 certificates in the CA chain.
> See https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/305264 for more
> information.
> Could libldap+gnutls be updated to also support V1 CA certificates to match
> features provided by libldap+openssl?

Just to be clear, are you requesting that libldap unconditionally call
gnutls_certificate_set_verify_flags() with GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT 

   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/