Your message dated Thu, 15 Sep 2011 09:54:32 -0700
with message-id <20110915165432.ga27...@virgil.dodds.net>
and subject line Re: [Pkg-openldap-devel] Bug#641720: ldap-utils: OpenLDAP does
not work with SSL/TLS encryption -- due to linking against gnutls
has caused the Debian Bug report #641720,
regarding ldap-utils: OpenLDAP does not work with SSL/TLS encryption -- due to
linking against gnutls
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
641720: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=641720
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: ldap-utils
Version: 2.4.23-7.2
Severity: grave
Justification: renders package unusable
I tried to use the OpenLDAP as a client with a server that uses SSL/TLS
encryption. The connection never worked, it terminated with the error message
TLS: peer cert untrusted or revoked (0x102)
TLS: can't connect: (unknown error code).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
The certificate of the server has probably been generated using openssl, so I
recompiled the entire OpenLDAP package with the configure option
--with-tls=openssl
(instead of gnutls). This made it work immediately. It is known that gnutls is
badly written anyway
http://www.openldap.org/lists/openldap-devel/200802/msg00072.html
so, please switch to openssl instead of gnutls.
-- System Information:
Debian Release: 6.0.2
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages ldap-utils depends on:
ii libc6 2.11.2-10 Embedded GNU C Library: Shared lib
ii libgnutls26 2.8.6-1 the GNU TLS library - runtime libr
ii libldap-2.4-2 2.4.23-7.2 OpenLDAP libraries
ii libsasl2-2 2.1.23.dfsg1-7 Cyrus SASL - authentication abstra
Versions of packages ldap-utils recommends:
ii libsasl2-modules 2.1.23.dfsg1-7 Cyrus SASL - pluggable authenticat
ldap-utils suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
On Thu, Sep 15, 2011 at 02:26:51PM +0200, Michael Schindler wrote:
> Package: ldap-utils
> Version: 2.4.23-7.2
> Severity: grave
> Justification: renders package unusable
> I tried to use the OpenLDAP as a client with a server that uses SSL/TLS
> encryption. The connection never worked, it terminated with the error
> message
> TLS: peer cert untrusted or revoked (0x102)
> TLS: can't connect: (unknown error code).
> ldap_err2string
> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
"It works with openssl" is not a bug. For all the information you've
provided here, it's at least as likely that the error message is correct and
you're asking ldapclient to connect insecurely to an untrusted peer!
> The certificate of the server has probably been generated using openssl,
> so I recompiled the entire OpenLDAP package with the configure option
> --with-tls=openssl
> (instead of gnutls). This made it work immediately. It is known that gnutls is
> badly written anyway
> http://www.openldap.org/lists/openldap-devel/200802/msg00072.html
> so, please switch to openssl instead of gnutls.
This is impossible for license reasons.
Closing this bug as invalid. If you can provide concrete information about
why GNUTLS should be trusting this peer certificate but isn't, please
reopen.
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slanga...@ubuntu.com vor...@debian.org
signature.asc
Description: Digital signature
--- End Message ---
