** Changed in: gnutls26 (Debian)
Status: Unknown = Fix Released
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/305264
Title:
gnutls regression: failure in certificate chain
** Changed in: gnutls26 (Debian)
Status: Unknown = Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/305264
Title:
gnutls regression: failure in certificate chain validation
To
Hardy openldap2.3 was fixed awhile ago, but didn't auto-close:
openldap2.3 (2.4.9-0ubuntu0.8.04.3) hardy-proposed; urgency=low
* debian/patches/gnutls-enable-v1-ca-certs: Enable V1 CA certs to be
trusted (LP: #305264).
-- Mathias Gug math...@ubuntu.com (mathiaz: 10900) [universe-
Copied gnutls12 1.2.9-2ubuntu1.5 to dapper-security and dapper-updates
** Changed in: gnutls12 (Ubuntu Dapper)
Status: Fix Committed = Fix Released
** Tags added: verification-done
** Tags removed: verification-needed
--
gnutls regression: failure in certificate chain validation
This bug was fixed in the package gnutls26 - 2.4.1-1ubuntu0.3
---
gnutls26 (2.4.1-1ubuntu0.3) intrepid-security; urgency=low
* Fix for certificate chain regressions introduced by fixes for
CVE-2008-4989
* debian/patches/20_CVE-2008-4989.diff: updated to upstream's final
Copied gnutls26 2.4.1-1ubuntu0.3 from -proposed to -security and
-updates.
--
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in
This bug was fixed in the package openldap - 2.4.11-0ubuntu6.2
---
openldap (2.4.11-0ubuntu6.2) intrepid-proposed; urgency=low
* debian/patches/gnutls-enable-v1-ca-certs: Enable V1 CA certs to be
trusted (LP: #305264).
-- Mathias Gug math...@ubuntu.com Wed, 25 Mar 2009
Copied openldap 2.4.11-0ubuntu6.2 from -proposed to -updates.
--
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.
--
Just noting for posterity, as of GnuTLS 2.8.0 (released 2009-05-27) you
can use %VERIFY_ALLOW_X509_V1_CA_CRT in the TLSCipherSuite options to
enable V1 CA certs. I will probably #ifdef the current OpenLDAP patch to
turn it off for GnuTLS = 2.8.0. (Haven't decided on best course of
action yet,
** Branch linked: lp:ubuntu/dapper-security/gnutls12
--
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.
--
Hardy openldap2.3 was fixed awhile ago, but didn't auto-close:
openldap2.3 (2.4.9-0ubuntu0.8.04.3) hardy-proposed; urgency=low
* debian/patches/gnutls-enable-v1-ca-certs: Enable V1 CA certs to be
trusted (LP: #305264).
-- Mathias Gug math...@ubuntu.com (mathiaz: 10900) [universe-
Copied gnutls12 1.2.9-2ubuntu1.5 to dapper-security and dapper-updates
** Changed in: gnutls12 (Ubuntu Dapper)
Status: Fix Committed = Fix Released
** Tags added: verification-done
** Tags removed: verification-needed
--
gnutls regression: failure in certificate chain validation
This bug was fixed in the package gnutls26 - 2.4.1-1ubuntu0.3
---
gnutls26 (2.4.1-1ubuntu0.3) intrepid-security; urgency=low
* Fix for certificate chain regressions introduced by fixes for
CVE-2008-4989
* debian/patches/20_CVE-2008-4989.diff: updated to upstream's final
Copied gnutls26 2.4.1-1ubuntu0.3 from -proposed to -security and
-updates.
--
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
This bug was fixed in the package openldap - 2.4.11-0ubuntu6.2
---
openldap (2.4.11-0ubuntu6.2) intrepid-proposed; urgency=low
* debian/patches/gnutls-enable-v1-ca-certs: Enable V1 CA certs to be
trusted (LP: #305264).
-- Mathias Gug math...@ubuntu.com Wed, 25 Mar 2009
Copied openldap 2.4.11-0ubuntu6.2 from -proposed to -updates.
--
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing
Just noting for posterity, as of GnuTLS 2.8.0 (released 2009-05-27) you
can use %VERIFY_ALLOW_X509_V1_CA_CRT in the TLSCipherSuite options to
enable V1 CA certs. I will probably #ifdef the current OpenLDAP patch to
turn it off for GnuTLS = 2.8.0. (Haven't decided on best course of
action yet,
** Branch linked: lp:ubuntu/dapper-security/gnutls12
--
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
We need to push gnutls12 in Dapper and gnutls26 in Intrepid in -proposed
to -security since these fix CVE-2009-2409. Dapper should not be a
problem with openldap since openldap uses libssl0.9.8 on Dapper. For
Intrepid, openldap will need to be copied as was done with Hardy.
** CVE added:
We need to push gnutls12 in Dapper and gnutls26 in Intrepid in -proposed
to -security since these fix CVE-2009-2409. Dapper should not be a
problem with openldap since openldap uses libssl0.9.8 on Dapper. For
Intrepid, openldap will need to be copied as was done with Hardy.
** CVE added:
I ran into the same problem (the update to libgnutls13 2.0.4-1ubuntu2.5
broke LDAP auth, due to the certificate chain no longer validating).
The quick fix was to set TLS_REQCERT to allow in /etc/ldap/ldap.conf,
but that is just a temporary workaround.
Indeed, using gnutls-cli to connect to
I ran into the same problem (the update to libgnutls13 2.0.4-1ubuntu2.5
broke LDAP auth, due to the certificate chain no longer validating).
The quick fix was to set TLS_REQCERT to allow in /etc/ldap/ldap.conf,
but that is just a temporary workaround.
Indeed, using gnutls-cli to connect to
** Branch linked: lp:~ubuntu-branches/ubuntu/hardy/openldap2.3/hardy-
proposed
--
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap
I'm seeing problems with the new version.
Tests with either SSH or sudo, my first password attempt is rejected, yet the
second attempt succeeds.
I get this in the logs:
pam_ldap: ldap_starttls_s: Connect error
Setting tls_checkpeer to no in /etc/ldap.conf makes things work fine
again.
@Andy:
Could you describe the X509 certs and CA you're using?
--
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.
--
I am using a self created CA with certificates signed by it.
I used this command to create it:
openssl req -config openssl.cnf -new -x509 -extensions v3_ca -keyout
physicsCA/private/cakey.pem -out physicsCA/cacert.pem -days 2190
I create and sign the certificates with these commands:
openssl
Copy of note sent on 1/8/2009:
Attached are the server cert (auth2.it.anl.gov), the intermediate cert
(f0a38a80.0)
and the CA self signed cert (7651b327.0) a debug version of verify.c
and partial output of an ldapsearch using the debug.c
My patch has been #if 0'ed out at line 151.
Lets
Mathias Gug wrote:
@Andy:
Could you describe the X509 certs and CA you're using?
We were using ldap and Verisign, and the root CA was a V2 from 1999
which signed an intermediate cert that signed the server certs.
I submitted to gnutls a few changes to allow for stoping at the
intermediate
Hi Andy,
On Thu, Jul 09, 2009 at 03:51:04PM -, Andy Wettstein wrote:
If you want me to attach the openssl.cnf let me know.
Could you please attach your openssl.cnf file so that it's easier to
reproduce your environment?
Thank you,
--
Mathias Gug
Ubuntu Developer http://www.ubuntu.com
Attaching my openssl.cnf
** Attachment added: openssl.cnf
http://launchpadlibrarian.net/28850996/openssl.cnf
--
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Server Team,
** Branch linked: lp:~ubuntu-branches/ubuntu/hardy/openldap2.3/hardy-
proposed
--
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
I'm seeing problems with the new version.
Tests with either SSH or sudo, my first password attempt is rejected, yet the
second attempt succeeds.
I get this in the logs:
pam_ldap: ldap_starttls_s: Connect error
Setting tls_checkpeer to no in /etc/ldap.conf makes things work fine
again.
@Andy:
Could you describe the X509 certs and CA you're using?
--
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing
Mathias Gug wrote:
@Andy:
Could you describe the X509 certs and CA you're using?
We were using ldap and Verisign, and the root CA was a V2 from 1999
which signed an intermediate cert that signed the server certs.
I submitted to gnutls a few changes to allow for stoping at the
intermediate
Copy of note sent on 1/8/2009:
Attached are the server cert (auth2.it.anl.gov), the intermediate cert
(f0a38a80.0)
and the CA self signed cert (7651b327.0) a debug version of verify.c
and partial output of an ldapsearch using the debug.c
My patch has been #if 0'ed out at line 151.
Lets
I am using a self created CA with certificates signed by it.
I used this command to create it:
openssl req -config openssl.cnf -new -x509 -extensions v3_ca -keyout
physicsCA/private/cakey.pem -out physicsCA/cacert.pem -days 2190
I create and sign the certificates with these commands:
openssl
Hi Andy,
On Thu, Jul 09, 2009 at 03:51:04PM -, Andy Wettstein wrote:
If you want me to attach the openssl.cnf let me know.
Could you please attach your openssl.cnf file so that it's easier to
reproduce your environment?
Thank you,
--
Mathias Gug
Ubuntu Developer http://www.ubuntu.com
Attaching my openssl.cnf
** Attachment added: openssl.cnf
http://launchpadlibrarian.net/28850996/openssl.cnf
--
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Bugs, which
For the gnutls/hardy SRU:
I have reproduced the acceptance of rsa/md2 v1 certificates by the
version of gnutls13 in hardy-updates, 2.0.4-1ubuntu2.3, and can confirm
that the version of gnutls13 in hardy-proposed does not accept rsa/md2
certificates. I have added a testcase for this situation in
For the openldap/hardy SRU:
I have:
(1) reproduced the acceptance of the v1 certificates as
outlined in Mathias' test case by the ldap clients with ldap
2.4.9-0ubuntu0.8.04.2 and gnutls13 2.0.4-1ubuntu2.
(2) reproduced the rejection of v1 certificates by the ldap clients
This bug was fixed in the package gnutls13 - 2.0.4-1ubuntu2.5
---
gnutls13 (2.0.4-1ubuntu2.5) hardy-security; urgency=low
* Fix for certificate chain regressions introduced by fixes for
CVE-2008-4989
* debian/patches/91_CVE-2008-4989.diff: updated to upstream's final
** Branch linked: lp:ubuntu/gutsy-updates/gnutls13
** Branch linked: lp:~ubuntu-branches/ubuntu/gutsy/gnutls13/gutsy-
proposed
** Branch linked: lp:~ubuntu-branches/ubuntu/hardy/gnutls13/hardy-
security
** Branch linked: lp:~ubuntu-branches/ubuntu/hardy/gnutls13/hardy-
proposed
--
gnutls
For the gnutls/hardy SRU:
I have reproduced the acceptance of rsa/md2 v1 certificates by the
version of gnutls13 in hardy-updates, 2.0.4-1ubuntu2.3, and can confirm
that the version of gnutls13 in hardy-proposed does not accept rsa/md2
certificates. I have added a testcase for this situation in
For the openldap/hardy SRU:
I have:
(1) reproduced the acceptance of the v1 certificates as
outlined in Mathias' test case by the ldap clients with ldap
2.4.9-0ubuntu0.8.04.2 and gnutls13 2.0.4-1ubuntu2.
(2) reproduced the rejection of v1 certificates by the ldap clients
This bug was fixed in the package gnutls13 - 2.0.4-1ubuntu2.5
---
gnutls13 (2.0.4-1ubuntu2.5) hardy-security; urgency=low
* Fix for certificate chain regressions introduced by fixes for
CVE-2008-4989
* debian/patches/91_CVE-2008-4989.diff: updated to upstream's final
** Branch linked: lp:ubuntu/gutsy-updates/gnutls13
** Branch linked: lp:~ubuntu-branches/ubuntu/gutsy/gnutls13/gutsy-
proposed
** Branch linked: lp:~ubuntu-branches/ubuntu/hardy/gnutls13/hardy-
security
** Branch linked: lp:~ubuntu-branches/ubuntu/hardy/gnutls13/hardy-
proposed
--
gnutls
Sorry for my report, it was out of confusion between /etc/ldap.conf and
/etc/ldap/ldap.conf. I think their names are rather unfortunate, but
this is another issue.
Mika
--
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug
Sorry for my report, it was out of confusion between /etc/ldap.conf and
/etc/ldap/ldap.conf. I think their names are rather unfortunate, but
this is another issue.
Mika
--
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug
** Branch linked: lp:~ubuntu-branches/ubuntu/intrepid/openldap/intrepid-
proposed
--
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to
** Branch linked: lp:~ubuntu-branches/ubuntu/intrepid/openldap/intrepid-
proposed
--
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
** Branch linked: lp:~ubuntu-branches/ubuntu/intrepid/gnutls26/intrepid-
security
** Branch linked: lp:~ubuntu-branches/ubuntu/intrepid/gnutls26/intrepid-
proposed
--
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug
Doug Engert wrote:
The real fix is to get the gnutls people to support certificate
directories, like OpenSSL. Why the rush to convert to gnutls
when it has so many issues. (Licencing issues are low on my list of
reasons.)
Indeed, for a security tool you want a package written by experienced
** Branch linked: lp:ubuntu/karmic/openldap
--
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.
--
Ubuntu-server-bugs
** Branch linked: lp:~ubuntu-branches/ubuntu/intrepid/gnutls26/intrepid-
security
** Branch linked: lp:~ubuntu-branches/ubuntu/intrepid/gnutls26/intrepid-
proposed
--
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug
Doug Engert wrote:
The real fix is to get the gnutls people to support certificate
directories, like OpenSSL. Why the rush to convert to gnutls
when it has so many issues. (Licencing issues are low on my list of
reasons.)
Indeed, for a security tool you want a package written by experienced
** Branch linked: lp:ubuntu/karmic/openldap
--
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
I guess we are having the same problem authenticating against a sun open
directory server. I use intrepid-proposed on my client:
r...@client:~# dpkg-query -W -f='${Package} ${Version} ${Source} ${Status}\n' |
egrep 'slapd|ldap|gnutls'
gnutls-bin 2.4.1-1ubuntu0.3 gnutls26 install ok installed
** Attachment added: our ldap.conf
http://launchpadlibrarian.net/28369422/ldap.conf
--
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to
** Attachment added: output of ldapsearch -x -ZZ -d7
http://launchpadlibrarian.net/28369454/ldapsearch_-x_-ZZ_-d7
--
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Server
I guess we are having the same problem authenticating against a sun open
directory server. I use intrepid-proposed on my client:
r...@client:~# dpkg-query -W -f='${Package} ${Version} ${Source} ${Status}\n' |
egrep 'slapd|ldap|gnutls'
gnutls-bin 2.4.1-1ubuntu0.3 gnutls26 install ok installed
** Attachment added: output of ldapsearch -x -ZZ -d7
http://launchpadlibrarian.net/28369454/ldapsearch_-x_-ZZ_-d7
--
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Bugs,
** Attachment added: our ldap.conf
http://launchpadlibrarian.net/28369422/ldap.conf
--
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
The 18 month support period for Gutsy Gibbon 7.10 has reached its end of life -
http://www.ubuntu.com/news/ubuntu-7.10-eol . As a result, we are closing the
Gutsy task.
** Changed in: gnutls13 (Ubuntu Gutsy)
Status: Fix Committed = Won't Fix
--
gnutls regression: failure in certificate
The 18 month support period for Gutsy Gibbon 7.10 has reached its end of life -
http://www.ubuntu.com/news/ubuntu-7.10-eol . As a result, we are closing the
Gutsy task.
** Changed in: gnutls13 (Ubuntu Gutsy)
Status: Fix Committed = Won't Fix
--
gnutls regression: failure in certificate
@Stephan:
Could you provide the output of the following command run on the system
where the ldap failure happens:
dpkg-query -W -f='${Package} ${Version} ${Source} ${Status}\n' | egrep
'slapd|ldap|gnutls'
--
gnutls regression: failure in certificate chain validation
@Stephan:
Could you provide the output of the following command run on the system
where the ldap failure happens:
dpkg-query -W -f='${Package} ${Version} ${Source} ${Status}\n' | egrep
'slapd|ldap|gnutls'
--
gnutls regression: failure in certificate chain validation
@Martin Pitt: Ok, here's all the stuff:
$ ldapsearch -x -b 'dc=ini,dc=uzh,dc=ch' uid=stephan -H
ldap://ldap.ini.uzh.ch -ZZ -d7
ldap_url_parse_ext(ldap://ldap.ini.uzh.ch)
ldap_create
ldap_url_parse_ext(ldap://ldap.ini.uzh.ch:389/??base)
ldap_extended_operation_s
ldap_extended_operation
** Changed in: openldap (Ubuntu Hardy)
Status: Triaged = Fix Committed
--
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in
** Changed in: openldap (Ubuntu Hardy)
Status: Triaged = Fix Committed
--
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
Even though the issue has been reported as 'fixed' I am still facing
this problem with an OpenBSD OpenLDAP server:
# ldapsearch -x -b 'dc=ini,dc=uzh,dc=ch' uid=stephan -H ldap://ldap.ini.uzh.ch
-ZZ -d1
...
TLS: peer cert untrusted or revoked (0x42)
ldap_err2string
ldap_start_tls: Connect error
On Thu, Mar 26, 2009 at 04:35:38PM -, star26bsd wrote:
Even though the issue has been reported as 'fixed' I am still facing
this problem with an OpenBSD OpenLDAP server:
# ldapsearch -x -b 'dc=ini,dc=uzh,dc=ch' uid=stephan -H
ldap://ldap.ini.uzh.ch -ZZ -d1
...
TLS: peer cert
Mathias, in regards to the wiki you linked above, my preference when
debugging these issues is to recommend debug level 7, which includes
packet traces, instead of debug 1. It's much better (to me) to be able
to see all the traffic, which includes the raw transfer of certificates
and their DER
Even though the issue has been reported as 'fixed' I am still facing
this problem with an OpenBSD OpenLDAP server:
# ldapsearch -x -b 'dc=ini,dc=uzh,dc=ch' uid=stephan -H ldap://ldap.ini.uzh.ch
-ZZ -d1
...
TLS: peer cert untrusted or revoked (0x42)
ldap_err2string
ldap_start_tls: Connect error
On Thu, Mar 26, 2009 at 04:35:38PM -, star26bsd wrote:
Even though the issue has been reported as 'fixed' I am still facing
this problem with an OpenBSD OpenLDAP server:
# ldapsearch -x -b 'dc=ini,dc=uzh,dc=ch' uid=stephan -H
ldap://ldap.ini.uzh.ch -ZZ -d1
...
TLS: peer cert
Mathias, in regards to the wiki you linked above, my preference when
debugging these issues is to recommend debug level 7, which includes
packet traces, instead of debug 1. It's much better (to me) to be able
to see all the traffic, which includes the raw transfer of certificates
and their DER
** Changed in: openldap (Ubuntu Intrepid)
Assignee: (unassigned) = Mathias Gug (mathiaz)
** Changed in: openldap (Ubuntu Hardy)
Assignee: (unassigned) = Mathias Gug (mathiaz)
--
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You
** Description changed:
I noticed recently that landscape-client could no longer contact our
staging server. Fortunately, contacting the production server is still
ok.
This command is an easy way to reproduce the problem. It is failing
against staging.landscape.canonical.com:
** Changed in: openldap (Ubuntu Intrepid)
Assignee: (unassigned) = Mathias Gug (mathiaz)
** Changed in: openldap (Ubuntu Hardy)
Assignee: (unassigned) = Mathias Gug (mathiaz)
--
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You
** Description changed:
I noticed recently that landscape-client could no longer contact our
staging server. Fortunately, contacting the production server is still
ok.
This command is an easy way to reproduce the problem. It is failing
against staging.landscape.canonical.com:
I've noticed strange behaviour which could be related to this bug.
#certtool -i ldap-cert.pem | grep -i issu
Issuer:
C=RU,ST=State,L=City,O=company,OU=SysAdmin,CN=ca.domain.my,email=ad...@domain.my
#certtool -e --load-ca-certificate cacert.pem ldap-cert.pem
Issued by:
I've noticed strange behaviour which could be related to this bug.
#certtool -i ldap-cert.pem | grep -i issu
Issuer:
C=RU,ST=State,L=City,O=company,OU=SysAdmin,CN=ca.domain.my,email=ad...@domain.my
#certtool -e --load-ca-certificate cacert.pem ldap-cert.pem
Issued by:
Mathias Gug wrote:
One workaround is to put all of the CA certs in the trusted CA
certificate file.
Yes, that is what we have had to do.
The real fix is to get the gnutls people to support certificate
directories, like OpenSSL. Why the rush to convert to gnutls
when it has so many issues.
On Mon, Mar 09, 2009 at 02:21:58PM -, Doug Engert wrote:
The real fix is to get the gnutls people to support certificate
directories, like OpenSSL. Why the rush to convert to gnutls
when it has so many issues. (Licencing issues are low on my list of
reasons.)
Licensing was the main
Mathias Gug wrote:
One workaround is to put all of the CA certs in the trusted CA
certificate file.
Yes, that is what we have had to do.
The real fix is to get the gnutls people to support certificate
directories, like OpenSSL. Why the rush to convert to gnutls
when it has so many issues.
On Mon, Mar 09, 2009 at 02:21:58PM -, Doug Engert wrote:
The real fix is to get the gnutls people to support certificate
directories, like OpenSSL. Why the rush to convert to gnutls
when it has so many issues. (Licencing issues are low on my list of
reasons.)
Licensing was the main
** Changed in: openldap (Ubuntu Jaunty)
Status: Triaged = In Progress
--
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in
One workaround is to put all of the CA certs in the trusted CA
certificate file.
If the system running slapd is on hardy (or intrepid or jaunty) you
should also add all of the CA certificates to the server certificate
file - this is to workaround a bug where the slapd daemon doesn't send
all of
This bug was fixed in the package openldap - 2.4.15-1ubuntu1
---
openldap (2.4.15-1ubuntu1) jaunty; urgency=low
[ Steve Langasek ]
* Update priority of libldap-2.4-2 to match the archive override.
* Add the missing ldapexop and ldapurl tools to ldap-utils, as well as the
I've attached the specific patch that enable V1 Certs to be trusted.
** Attachment added: gnutls-v1-cert-enabled.patch
http://launchpadlibrarian.net/23565417/gnutls-v1-cert-enabled.patch
--
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You
** Changed in: openldap (Ubuntu Jaunty)
Status: Triaged = In Progress
--
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
One workaround is to put all of the CA certs in the trusted CA
certificate file.
If the system running slapd is on hardy (or intrepid or jaunty) you
should also add all of the CA certificates to the server certificate
file - this is to workaround a bug where the slapd daemon doesn't send
all of
This bug was fixed in the package openldap - 2.4.15-1ubuntu1
---
openldap (2.4.15-1ubuntu1) jaunty; urgency=low
[ Steve Langasek ]
* Update priority of libldap-2.4-2 to match the archive override.
* Add the missing ldapexop and ldapurl tools to ldap-utils, as well as the
I've attached the specific patch that enable V1 Certs to be trusted.
** Attachment added: gnutls-v1-cert-enabled.patch
http://launchpadlibrarian.net/23565417/gnutls-v1-cert-enabled.patch
--
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You
I was able to reproduce the libldap client bug:
0. Need two versions of openldap : one compiled with gnutls, the other with
openssl.
1. Create a V1 CA.
2. Create a certificate to be used by slapd and sign it with the V1 CA.
3. Configure a slapd+openssl system with certificates issues above.
4.
libldap is now patched in OpenLDAP cvs HEAD. We anticipate releasing a
bugfix-only 2.4.16 release very soon, with this fix included.
--
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of
I was able to reproduce the libldap client bug:
0. Need two versions of openldap : one compiled with gnutls, the other with
openssl.
1. Create a V1 CA.
2. Create a certificate to be used by slapd and sign it with the V1 CA.
3. Configure a slapd+openssl system with certificates issues above.
4.
libldap is now patched in OpenLDAP cvs HEAD. We anticipate releasing a
bugfix-only 2.4.16 release very soon, with this fix included.
--
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of
Tried the Intrepid version, looks like it works. Thanks.
Jamie Strandboge wrote:
Dapper through Intrepid have been copied to -proposed now.
** Tags added: verification-needed
--
Douglas E. Engert deeng...@anl.gov
Argonne National Laboratory
9700 South Cass Avenue
Argonne,
Dapper through Intrepid have been copied to -proposed now.
** Tags added: verification-needed
--
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Server Team, which is
Dapper through Intrepid have been copied to -proposed now.
** Tags added: verification-needed
--
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to
1 - 100 of 158 matches
Mail list logo
