Your message dated Wed, 11 Jun 2014 10:37:40 -0700
with message-id
<CAMXH3QAaF_goFS+CbSJ3eWNXpdOs0==qGs+8o2wiQ=bfrdz...@mail.gmail.com>
and subject line Re: libldap-2.4: No check of root certificate validity date
has caused the Debian Bug report #751002,
regarding libldap-2.4-2: No check of root certificate validity date
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
751002: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=751002
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: ibldap-2.4
Version: 2.4.23
Severity: normal
Dear Maintainer,
While upgrading from Debian 6 to Debian 7 LDAPS did not work anymore on the
client. I found out the root-certificate was outdated for a long time and the
validity date of a root certificate is not checked on a Debian 6 client. But it
is checked on a Debian 7 client, and this can give unexpected problems while
upgrading. And it is a risk for Debian 6 installations.
The error while upgrading is:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
With regards,
Paul van der Vlis
--
Paul van der Vlis Linux systeembeheer, Groningen
http://www.vandervlis.nl
--- End Message ---
--- Begin Message ---
On Wed, Jun 11, 2014 at 2:22 AM, Paul van der Vlis <[email protected]> wrote:
> I think it's a bug in Squeeze not to check the root certificate. But
> fixing the bug will give problems in existing installations and Squeeze
> does not have normal security-support anymore.
>
> We could reassign it to gnutls, or tell the people from squeeze-lts
> about it. Maybe it's important for other packages or other situations.
I think it's the same as #616035: gnutls 2.8 (squeeze) checks just the
peer certificate, while gnutls 2.10 (wheezy) checks the entire
certificate chain. So the gnutls maintainers are aware of that change
and already chose to not backport it to squeeze.
Increasing the libldap debug level yields this message:
TLS: peer cert untrusted or revoked (0x402)
and searching for that seems to be enough to find out that 0x402 means
a certificate has expired.
> My goal was to give some publicity for people who are searching for this
> problem during upgrading, like I did. And to tell about this bug in
> Squeeze.
Between #616035 and this one, hopefully we have enough information for
people who run into this in future. Thanks for helping document it.
> For me it's no problem to close the bug.
Doing so, then.
thanks,
Ryan
--- End Message ---
