Your message dated Tue, 27 Apr 2010 19:37:55 +0200
with message-id <[email protected]>
and subject line Re: libldap-2.4-2: Only the first certificate in TLS_CACERT is
used to verify the server certificate
has caused the Debian Bug report #517188,
regarding libldap-2.4-2: Only the first certificate in TLS_CACERT is used to
verify the server certificate
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
517188: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=517188
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libldap-2.4-2
Version: 2.4.11-1
Severity: normal
Openldap in Lenny is linked against GNUtls instead of openssl. GNUtls doesn't
support the
TLS_CACERTDIR configuration option, so we have to use TLS_CACERT to specify a
file with
trusted CA certificates.
According to the ldap.conf (5) man page, the TLS_CACERT file can contain all CA
certificates
that should be trusted.
I've concatenated two CA certificates into one file and specified this file in
ldap.conf.
I have two servers with certificates signed by different CA's. Server1 is
signed by CA1 and
server2 is signed by CA2.
When I put CA1 at the top of the bundle file, I can connect to server1 but not
server2 as the
certificate is not trusted. If I put CA2 at the top, I can connect to server2
but not server1.
When I use openssl s_client with the CA bundle, I can connect to both servers.
Is this the expected behaviour? Doesn't GNUtls support more than one
certificate in the TLS_CACERT
file? If so, this is a serious PITA as it makes migration from ca1 to ca2 much
harder.
Regards,
Rik
-- System Information:
Debian Release: 5.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.26-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages libldap-2.4-2 depends on:
ii libc6 2.7-18 GNU C Library: Shared libraries
ii libgnutls26 2.4.2-4 the GNU TLS library - runtime libr
ii libsasl2-2 2.1.22.dfsg1-23 Cyrus SASL - authentication abstra
libldap-2.4-2 recommends no packages.
libldap-2.4-2 suggests no packages.
-- no debconf information
Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm
--- End Message ---
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
Thanks to Peter Marschall for testing. Bug doesn't appear anymore in
2.4.21 release in Debian.
Regards,
Matthijs Mohlmann
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkvXIPMACgkQ2n1ROIkXqbCfYACgio+ZP9LvVuW8PXIjlCQ2Q9ck
AWgAn0L/sepEYA2tfrXvmHfuLtxoYUI+
=HTLD
-----END PGP SIGNATURE-----
--- End Message ---
