--On Sunday, April 26, 2009 12:24 PM +0200 Arthur de Jong
<adej...@debian.org> wrote:
On Sat, 2009-04-25 at 15:47 -0700, Quanah Gibson-Mount wrote:
There have been numerous changes to how libldap uses TLS entirely
since 2.4.11, and several fixes specific to GnuTLS as well. I would
advise you use the very latest from CVS HEAD rather than poking at
2.4.11. IIRC, there is one GnuTLS fix not currently in the RE24 code,
which is why I suggest using HEAD atm. I'll be syncing up RE24 likely
in the next week or so.
I can probably test with CVS HEAD at some point. I would like to point
out though that this problem is in 2.4.15-1.1 and I just happend to have
2.4.11 source code lying around so I used grep on that a couple of
times.
I will probably test with 2.4.16 once it's out but I'm going to work
around this bug anyway so I won't notice it in normal use any more (I'm
going to set all options globally once anyway).
2.4.16 was released a few weeks ago. And, it is also the current "stable"
designated release from OpenLDAP.
From the changelog:
OpenLDAP 2.4.16 Release (2009/04/05)
Fixed libldap GnuTLS with x509v1 CA certs (ITS#5992)
Fixed libldap GnuTLS with CA chains (ITS#5991)
Fixed libldap GnuTLS TLSVerifyCilent try (ITS#5981)
HEAD also has:
Log Message:
ITS#6053 must use gnutls_x509_privkey_init()
Btw, is there any reliable way to get more error conditions about what
went wrong with SSL/TLS? I've been digging (in 2.4.11 again) and the
only thing I could come up with setting the debug level, registering a
handler to read the log messages and parse the output. I don't want to
implement that but is there a better way?
Not that I'm aware of. That might be a better question for one of the
openldap lists.
--Quanah
--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
