Control: retitle -1 cacertdir not implemented for gnutls Control: reassign -1 libldap-2.4-2 2.4.56+dfsg-1
On 2021-01-12 Andras Korn <korn-debb...@elan.rulez.org> wrote: > Package: libgnutls30 > Version: 3.7.0-3 > Severity: wishlist > Hi, > I was just bitten by https://github.com/SSSD/sssd/issues/5444. > Briefly: > * sssd relies on libldap to query LDAP servers. > * libldap can be linked against libssl (openssl) or gnutls for SSL/TLS > support. > * libssl supports an ldap_tls_cacertdir option; you can point it to > /etc/ssl/certs and it'll trust all CA certificates that are in this directory. > * gnutls doesn't have this cacertdir mechanism and needs `ldap_tls_cacert = > /etc/ssl/certs/ca-certificates.crt` instead. > * my sssd.conf only had ldap_tls_cacertdir, not ldap_tls_cacert; thus, > gnutls didn't know which CA certificates to trust and failed to validate my > LDAP server certificates. > * The root cause of the problem only became visible after enabling LDAP > library debugging in sssd.conf. > I think I shouldn't need to specify `ldap_tls_cacert = > /etc/ssl/certs/ca-certificates.crt` when using a Debian package, since > this is the default location of trusted CA certificates in Debian. > Configuration should only be necessary for non-default setups. Hello, GnuTLS offers a sane compile default for the trust store (See gnutls_x509_trust_list_add_system_trust()), which can be used by the application. - I have therefore retitled the bug. >From the upstream bug report: 2021-01-12 17:52:00.657730500 [be[ldap]] [sss_ldap_debug] (0x4000): libldap: TLS: warning: cacertdir not implemented for gnutls GnuTLS has supported using a directory instead of a file since version 3.3.6 (released 2014-07-23), so it looks like a missing thing in libldap. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'