Bug#525605: [Pkg-openldap-devel] Bug#525605: libldap-2.4-2: setting LDAP_OPT_X_TLS_REQUIRE_CERT is not handled correctly
On Sat, 2009-04-25 at 15:47 -0700, Quanah Gibson-Mount wrote: There have been numerous changes to how libldap uses TLS entirely since 2.4.11, and several fixes specific to GnuTLS as well. I would advise you use the very latest from CVS HEAD rather than poking at 2.4.11. IIRC, there is one GnuTLS fix not currently in the RE24 code, which is why I suggest using HEAD atm. I'll be syncing up RE24 likely in the next week or so. I can probably test with CVS HEAD at some point. I would like to point out though that this problem is in 2.4.15-1.1 and I just happend to have 2.4.11 source code lying around so I used grep on that a couple of times. I will probably test with 2.4.16 once it's out but I'm going to work around this bug anyway so I won't notice it in normal use any more (I'm going to set all options globally once anyway). Btw, is there any reliable way to get more error conditions about what went wrong with SSL/TLS? I've been digging (in 2.4.11 again) and the only thing I could come up with setting the debug level, registering a handler to read the log messages and parse the output. I don't want to implement that but is there a better way? Thanks. -- -- arthur - adej...@debian.org - http://people.debian.org/~adejong -- signature.asc Description: This is a digitally signed message part
Bug#525605: [Pkg-openldap-devel] Bug#525605: libldap-2.4-2: setting LDAP_OPT_X_TLS_REQUIRE_CERT is not handled correctly
--On Sunday, April 26, 2009 12:24 PM +0200 Arthur de Jong adej...@debian.org wrote: On Sat, 2009-04-25 at 15:47 -0700, Quanah Gibson-Mount wrote: There have been numerous changes to how libldap uses TLS entirely since 2.4.11, and several fixes specific to GnuTLS as well. I would advise you use the very latest from CVS HEAD rather than poking at 2.4.11. IIRC, there is one GnuTLS fix not currently in the RE24 code, which is why I suggest using HEAD atm. I'll be syncing up RE24 likely in the next week or so. I can probably test with CVS HEAD at some point. I would like to point out though that this problem is in 2.4.15-1.1 and I just happend to have 2.4.11 source code lying around so I used grep on that a couple of times. I will probably test with 2.4.16 once it's out but I'm going to work around this bug anyway so I won't notice it in normal use any more (I'm going to set all options globally once anyway). 2.4.16 was released a few weeks ago. And, it is also the current stable designated release from OpenLDAP. From the changelog: OpenLDAP 2.4.16 Release (2009/04/05) Fixed libldap GnuTLS with x509v1 CA certs (ITS#5992) Fixed libldap GnuTLS with CA chains (ITS#5991) Fixed libldap GnuTLS TLSVerifyCilent try (ITS#5981) HEAD also has: Log Message: ITS#6053 must use gnutls_x509_privkey_init() Btw, is there any reliable way to get more error conditions about what went wrong with SSL/TLS? I've been digging (in 2.4.11 again) and the only thing I could come up with setting the debug level, registering a handler to read the log messages and parse the output. I don't want to implement that but is there a better way? Not that I'm aware of. That might be a better question for one of the openldap lists. --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#525605: [Pkg-openldap-devel] Bug#525605: libldap-2.4-2: setting LDAP_OPT_X_TLS_REQUIRE_CERT is not handled correctly
--On Saturday, April 25, 2009 11:14 PM +0200 Arthur de Jong adej...@debian.org wrote: Subject: libldap-2.4-2: setting LDAP_OPT_X_TLS_REQUIRE_CERT is not handled correctly Package: libldap-2.4-2 Version: 2.4.15-1.1 Severity: important I've been busy tracking down a LDAP/TLS related bug in my package (#521617) and found that the correct certificate checks are not done correctly if I only set the LDAP_OPT_X_TLS_REQUIRE_CERT option on a connection: tls_reqcert=LDAP_OPT_X_TLS_NEVER; ldap_set_option(NULL,LDAP_OPT_X_TLS_REQUIRE_CERT,tls_reqcert); There have been numerous changes to how libldap uses TLS entirely since 2.4.11, and several fixes specific to GnuTLS as well. I would advise you use the very latest from CVS HEAD rather than poking at 2.4.11. IIRC, there is one GnuTLS fix not currently in the RE24 code, which is why I suggest using HEAD atm. I'll be syncing up RE24 likely in the next week or so. --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
