On 09.03.2011 10:21, Nikos Mavrogiannopoulos wrote: > 2011/3/8 Vedran Furač <vedran.fu...@gmail.com>: > >>>> - subject `blahblah', issuer `blahblah', RSA key 1024 bits, signed >>>> using RSA-SHA, activated `2006-07-22 12:59:58 UTC', expires `2009-07-21 >>>> 12:59:58 UTC', SHA-1 fingerprint `ec5248b3194be9fda5639b59458962bc9bee32cc' >>> Looks like one of certs had expired? >> >> That could be the problem, but that would indicate a bug in the all >> previous versions of gnutls. > > The expiration checking had to be explicitly done by the application using > gnutls in the previous version. Implicit checking by gnutls was added in > 2.8.x.
2.8? But it works for me in 2.8.6, something is changed in 2.10.x. > I don't understand your point. Is the certificate expired or not? Sure, it's expired, but gnutls fails to detect that and is blabbing about: TLS: peer cert untrusted or revoked (0x402) TLS: can't connect: (unknown error code). or GnuTLS error: Error in the certificate. While it should: # grep -Ri expire /tmp/gnutls26-2.10.5/src /tmp/gnutls26-2.10.5/src/common.c: if (status & GNUTLS_CERT_EXPIRED) /tmp/gnutls26-2.10.5/src/common.c: printf ("- Peer's certificate chain uses expired certificate\n"); I had to make this work asap so I tried to generate new certificate. I know I previously used openssl to generate self-signed certificate, but unfortunately I forgot to document the procedure (as certs generated using standard method do not work (another, imho, bug)). So I used certtool following steps from: http://wiki.debian.org/LDAP/OpenLDAPSetup I had to remove TLSCACertificateFile and have updated TLS_REQCERT in ldap.conf from "demand" to "allow". Wiki says to use TLS_REQCERT never, but that's plain wrong as the client will not request or check any server certificate with that setting. Regards, Vedran -- http://vedranf.net | a8e7a7783ca0d460fee090cc584adc12
<<attachment: vedran_furac.vcf>>