[Bug 305264] Re: gnutls regression: failure in certificate chain validation
** Changed in: gnutls26 (Debian) Status: Unknown = Fix Released -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/305264 Title: gnutls regression: failure in certificate chain validation To manage notifications about this bug go to: https://bugs.launchpad.net/landscape/+bug/305264/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 305264] Re: gnutls regression: failure in certificate chain validation
Hardy openldap2.3 was fixed awhile ago, but didn't auto-close: openldap2.3 (2.4.9-0ubuntu0.8.04.3) hardy-proposed; urgency=low * debian/patches/gnutls-enable-v1-ca-certs: Enable V1 CA certs to be trusted (LP: #305264). -- Mathias Gug math...@ubuntu.com (mathiaz: 10900) [universe- contributors] [ubuntumembers] [ubuntu-dev] [ubuntu-bugcontrol] [ubuntu-core-dev]Wed, 25 Mar 2009 14:30:35 -0400 ** Changed in: openldap (Ubuntu Hardy) Status: Fix Committed = Fix Released -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 305264] Re: gnutls regression: failure in certificate chain validation
Copied gnutls12 1.2.9-2ubuntu1.5 to dapper-security and dapper-updates ** Changed in: gnutls12 (Ubuntu Dapper) Status: Fix Committed = Fix Released ** Tags added: verification-done ** Tags removed: verification-needed -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 305264] Re: gnutls regression: failure in certificate chain validation
This bug was fixed in the package gnutls26 - 2.4.1-1ubuntu0.3 --- gnutls26 (2.4.1-1ubuntu0.3) intrepid-security; urgency=low * Fix for certificate chain regressions introduced by fixes for CVE-2008-4989 * debian/patches/20_CVE-2008-4989.diff: updated to upstream's final 2.4.2 - 2.4.3 patchset for lib/x509/verify.c to fix CVE-2008-4989 and address all known regressions. To summarize from upstream: - Fix X.509 certificate chain validation error (CVE-2008-4989) - Fix chain verification for chains that end with RSA-MD2 CAs (LP: #305264) - Deprecate X.509 validation chains using MD5 and MD2 signatures - Accept chains where intermediary certs are trusted (LP: #305264) -- Jamie Strandboge ja...@ubuntu.com Fri, 20 Feb 2009 12:24:43 -0600 ** Changed in: gnutls26 (Ubuntu Intrepid) Status: Fix Committed = Fix Released -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 305264] Re: gnutls regression: failure in certificate chain validation
Copied gnutls26 2.4.1-1ubuntu0.3 from -proposed to -security and -updates. -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 305264] Re: gnutls regression: failure in certificate chain validation
This bug was fixed in the package openldap - 2.4.11-0ubuntu6.2 --- openldap (2.4.11-0ubuntu6.2) intrepid-proposed; urgency=low * debian/patches/gnutls-enable-v1-ca-certs: Enable V1 CA certs to be trusted (LP: #305264). -- Mathias Gug math...@ubuntu.com Wed, 25 Mar 2009 12:52:23 -0400 ** Changed in: openldap (Ubuntu Intrepid) Status: Fix Committed = Fix Released -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 305264] Re: gnutls regression: failure in certificate chain validation
Copied openldap 2.4.11-0ubuntu6.2 from -proposed to -updates. -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 305264] Re: gnutls regression: failure in certificate chain validation
Just noting for posterity, as of GnuTLS 2.8.0 (released 2009-05-27) you can use %VERIFY_ALLOW_X509_V1_CA_CRT in the TLSCipherSuite options to enable V1 CA certs. I will probably #ifdef the current OpenLDAP patch to turn it off for GnuTLS = 2.8.0. (Haven't decided on best course of action yet, given http://bugs.debian.org/cgi- bin/bugreport.cgi?bug=541256 ) ** Bug watch added: Debian Bug tracker #541256 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=541256 -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 305264] Re: gnutls regression: failure in certificate chain validation
** Branch linked: lp:ubuntu/dapper-security/gnutls12 -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 305264] Re: gnutls regression: failure in certificate chain validation
We need to push gnutls12 in Dapper and gnutls26 in Intrepid in -proposed to -security since these fix CVE-2009-2409. Dapper should not be a problem with openldap since openldap uses libssl0.9.8 on Dapper. For Intrepid, openldap will need to be copied as was done with Hardy. ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2009-2409 -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 305264] Re: gnutls regression: failure in certificate chain validation
I ran into the same problem (the update to libgnutls13 2.0.4-1ubuntu2.5 broke LDAP auth, due to the certificate chain no longer validating). The quick fix was to set TLS_REQCERT to allow in /etc/ldap/ldap.conf, but that is just a temporary workaround. Indeed, using gnutls-cli to connect to server:636 fails verification with this version, whereas after rolling back to -ubuntu2.3 it succeeds. 'openssl s_client' is still happy. I discovered that this is because both my CA cert and the server cert were using md5/rsa, which are no longer supported by gnutls. Note the changelog entry - Deprecate X.509 validation chains using MD5 and MD2 signatures; apparently by deprecate they mean no longer support at all. Apparently gnutls doesn't mind the self-signed CA cert being MD5, but it's not happy with the server cert: and...@shiny:~$ echo|gnutls-cli --print-cert --x509cafile isc-ca.crt -p 636 ldap.server | certtool -e Certificate[0]: C=US,ST=Texas,L=College Station,O=TAMU,OU=VPR,CN=ldap.server,email=supp...@foo.bar Issued by: C=US,ST=Texas,L=College Station,O=TAMU,OU=VPR,CN=ISC CA,email=supp...@foo.bar Verifying against certificate[1]. Verification output: Not verified, Insecure algorithm. Certificate[1]: C=US,ST=Texas,L=College Station,O=TAMU,OU=VPR,CN=ISC CA,email=supp...@foo.bar Issued by: C=US,ST=Texas,L=College Station,O=TAMU,OU=VPR,CN=ISC CA,email=supp...@foo.bar Verification output: Verified. [names/emails sanitized somewhat] After generating a new server cert using sha1/rsa and plugging it into slapd (but still using the same md5/rsa CA cert), gnutls is now happy, and in turn, so is pam_ldap. I suppose the better solution would be to create a new sha1 CA cert also, but that would require copying it to all the clients, which is a lot more work. Andy, I notice you have default_md=md5 in your openssl.cnf. You should change this to sha1 or something else not considered broken, and generate a new server cert, and that should solve your problem. In summary, the recent gnutls update broke MD5 certs, but this was intentional. It would've been nice to announce this more loudly though. (To me, deprecate means discourage future use, not remove support.) -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 305264] Re: gnutls regression: failure in certificate chain validation
** Branch linked: lp:~ubuntu-branches/ubuntu/hardy/openldap2.3/hardy- proposed -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 305264] Re: gnutls regression: failure in certificate chain validation
I'm seeing problems with the new version. Tests with either SSH or sudo, my first password attempt is rejected, yet the second attempt succeeds. I get this in the logs: pam_ldap: ldap_starttls_s: Connect error Setting tls_checkpeer to no in /etc/ldap.conf makes things work fine again. Reverting to 2.0.4-1ubuntu2.3 correct the issue as well. -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 305264] Re: gnutls regression: failure in certificate chain validation
@Andy: Could you describe the X509 certs and CA you're using? -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 305264] Re: gnutls regression: failure in certificate chain validation
I am using a self created CA with certificates signed by it. I used this command to create it: openssl req -config openssl.cnf -new -x509 -extensions v3_ca -keyout physicsCA/private/cakey.pem -out physicsCA/cacert.pem -days 2190 I create and sign the certificates with these commands: openssl req -config openssl.cnf -new -nodes -keyout $1.key -out $1.csr -days 1065 openssl ca -config openssl.cnf -policy policy_anything -out $1.crt -infiles $1.csr The CA certificate file is distributed to all of my machines and is specified in the ldap.conf. If you want me to attach the openssl.cnf let me know. -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 305264] Re: gnutls regression: failure in certificate chain validation
Copy of note sent on 1/8/2009: Attached are the server cert (auth2.it.anl.gov), the intermediate cert (f0a38a80.0) and the CA self signed cert (7651b327.0) a debug version of verify.c and partial output of an ldapsearch using the debug.c My patch has been #if 0'ed out at line 151. Lets refer to the cert chain as A, B and C. The OpenLDAP server (using OpenSSL) sends server cert A, intermediate cert B, and CA cert C. The TLS_CACERT file has B and C. The clist_size is then 3, and the code in _gnutls_x509_verify_certificate around lines 443 drop it to 2, leaving the chain as A, B. The tcase_size is 2. _gnutls_verify_certificate2 at line 452 is called with cert B and tcas with B and C and flags 0. At line 265, find_issuer is called with B. It returns C. check_is_ca is called at line 297, which fails because there is no BasicConstraint. The if at 293 looks correct too. *BUT* if one trusts both B and C, do we need to verify C? Why does the code arount line 265 not stop after finding that B is in the tcas, rather then looking for C, and then verifying it? If I try it again with the TLS_CACERT file with only B, it also fails because it can not find the issuer of B. If the code around line 265 was modified if B was found in the tcas, this shopuld also work. Simon Josefsson wrote: Douglas E. Engert deeng...@anl.gov writes: This is also being submitted to https://bugs.launchpad.net/bugs Using the Ubuntu version of libgnutls13_2.0.4-1ubuntu2.3 on Hardy 8.04.1, ldaps: has stopped working. This looks like it is related to the December changes that are also in gnutls-2.6.3. See attached patch that should work in both. ldapsearch -d 1 -H ldaps://... TLS: peer cert untrusted or revoked (0x82) ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) The OpenLDAP ldap server certificate issued by Verisign is signed by: Verisign_Intermediate-Secure_Site_Managed_PKI_for_SSL_Standard_Certificates.pem which is signed by: Verisign_Class_3_Public_Primary_Certification_Authority.pem Both of these are in /etc/ssl/certs as 7651b327.0 and f0a38a80.0 Verisign_Class_3_Public_Primary_Certification_Authority.pem is a self signed version 1 cert issued in 1996, with no extensions. Do you have a complete chain that triggers this? It will help our regression test suite. I don't have f0a38a80.0 on my debian lenny system. Does it also lack a basicConstraint? Does it use RSA-MDx? If yes, that would explain the problem. In lib/x509/verify.c gnutls_x509_crt_get_ca_status is called but returns GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE as there is no Basic Constraint. The attached patch (to gnutls13_2.0.4-1ubuntu2.3) checks for this return and if it is a self signed cert, will treat it as a CA. The patch looks like it can be applied to 2.6.3 as well. The patch seems too permissive to me: the intention is that V1 certs should be rejected by GnuTLS unless GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT and/or GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT are passed as flags. Internally, GnuTLS by default enables the GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT flag when called via gnutls_certificate_verify_peers2. So I think GnuTLS should typically accept this chain. Indeed, looking at the code that invokes the function you patched: if (!(flags GNUTLS_VERIFY_DISABLE_CA_SIGN) !((flags GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT) issuer_version == 1)) { if (check_if_ca (cert, issuer, flags) == 0) { gnutls_assert (); if (output) *output |= GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID; return 0; } } It seems that the code you patched should not have been invoked at all if (flags GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT) issuer_version == 1 is true (if I understand the logic correctly..). Could you debug why this isn't the case? Maybe issuer_version is wrong? A complete chain to reproduce this will let me debug it too. /Simon Clients on Solaris 9 and 10, and OpenLDAP using OpenSSL on any platform have no problems with this old cert. -- Douglas E. Engert deeng...@anl.gov Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 --- ,verify.c2009-01-06 14:02:41.0 -0600 +++ verify.c 2009-01-07 17:07:27.0 -0600 @@ -130,11 +130,20 @@ } } - if (gnutls_x509_crt_get_ca_status (issuer, NULL) == 1) + result = gnutls_x509_crt_get_ca_status (issuer, NULL); + if (result == 1) { result = 1; goto cleanup; } + /* Old self signed CA certs may not have basic constrant */ + else if ((result == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) + (gnutls_x509_crt_check_issuer(issuer, issuer) == 1)) +{ + gnutls_assert (); + result = 1; + goto cleanup; +} else gnutls_assert (); ___ Gnutls-devel
Re: [Bug 305264] Re: gnutls regression: failure in certificate chain validation
Mathias Gug wrote: @Andy: Could you describe the X509 certs and CA you're using? We were using ldap and Verisign, and the root CA was a V2 from 1999 which signed an intermediate cert that signed the server certs. I submitted to gnutls a few changes to allow for stoping at the intermediate cert which I believe they added. In the meantime, we turned off cert checking, and have now replaced LDAP Verisign certs with certs issued localy. I will send you a copy of the note to gnutls from 1/8/2009 which has the certs. -- Douglas E. Engert deeng...@anl.gov Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 305264] Re: gnutls regression: failure in certificate chain validation
Hi Andy, On Thu, Jul 09, 2009 at 03:51:04PM -, Andy Wettstein wrote: If you want me to attach the openssl.cnf let me know. Could you please attach your openssl.cnf file so that it's easier to reproduce your environment? Thank you, -- Mathias Gug Ubuntu Developer http://www.ubuntu.com -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 305264] Re: gnutls regression: failure in certificate chain validation
Attaching my openssl.cnf ** Attachment added: openssl.cnf http://launchpadlibrarian.net/28850996/openssl.cnf -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 305264] Re: gnutls regression: failure in certificate chain validation
For the gnutls/hardy SRU: I have reproduced the acceptance of rsa/md2 v1 certificates by the version of gnutls13 in hardy-updates, 2.0.4-1ubuntu2.3, and can confirm that the version of gnutls13 in hardy-proposed does not accept rsa/md2 certificates. I have added a testcase for this situation in the gnutls test script in the lp:qa-regression-testing bzr tree. The package passes the rest of the regression test in the testsuite, with the exception of known bug 292604 which is not a regression (2.0.4-1ubuntu2.3 also fails this test and it looks like it won't get fixed in hardy). -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 305264] Re: gnutls regression: failure in certificate chain validation
For the openldap/hardy SRU: I have: (1) reproduced the acceptance of the v1 certificates as outlined in Mathias' test case by the ldap clients with ldap 2.4.9-0ubuntu0.8.04.2 and gnutls13 2.0.4-1ubuntu2. (2) reproduced the rejection of v1 certificates by the ldap clients with ldap 2.4.9-0ubuntu0.8.04.2 and gnutls13 versions 2.0.4-1ubuntu2.3 and 2.0.4-1ubuntu2.5. (3) confirmed that the with the version of the ldap packages in hardy-proposed, 2.4.9-0ubuntu0.8.04.3, that the v1 certificates are once again accepted when using gnutls13 versions 2.0.4-1ubuntu2.3 and 2.0.4-1ubuntu2.5. I have also run the ldap packages in hardy-proposed through the openldap testcases in the lp:qa-regression-testing bzr tree with all three available versions of gnutls13 (gnutls13 2.0.4-1ubuntu2, 2.0.4-1ubuntu2.3, 2.0.4-1ubuntu2.5) and confirmed that there were no introduced regressions seen there as well. I consider the openldap packages verification-done for hardy. -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 305264] Re: gnutls regression: failure in certificate chain validation
This bug was fixed in the package gnutls13 - 2.0.4-1ubuntu2.5 --- gnutls13 (2.0.4-1ubuntu2.5) hardy-security; urgency=low * Fix for certificate chain regressions introduced by fixes for CVE-2008-4989 * debian/patches/91_CVE-2008-4989.diff: updated to upstream's final 2.4.2 - 2.4.3 patchset for lib/x509/verify.c to fix CVE-2008-4989 and address all known regressions. To summarize from upstream: - Fix X.509 certificate chain validation error (CVE-2008-4989) - Fix chain verification for chains that end with RSA-MD2 CAs (LP: #305264) - Deprecate X.509 validation chains using MD5 and MD2 signatures - Accept chains where intermediary certs are trusted (LP: #305264) -- Jamie Strandboge ja...@ubuntu.com Fri, 20 Feb 2009 13:02:36 -0600 ** Changed in: gnutls13 (Ubuntu Hardy) Status: Fix Committed = Fix Released -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 305264] Re: gnutls regression: failure in certificate chain validation
** Branch linked: lp:ubuntu/gutsy-updates/gnutls13 ** Branch linked: lp:~ubuntu-branches/ubuntu/gutsy/gnutls13/gutsy- proposed ** Branch linked: lp:~ubuntu-branches/ubuntu/hardy/gnutls13/hardy- security ** Branch linked: lp:~ubuntu-branches/ubuntu/hardy/gnutls13/hardy- proposed -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 305264] Re: gnutls regression: failure in certificate chain validation
Sorry for my report, it was out of confusion between /etc/ldap.conf and /etc/ldap/ldap.conf. I think their names are rather unfortunate, but this is another issue. Mika -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 305264] Re: gnutls regression: failure in certificate chain validation
** Branch linked: lp:~ubuntu-branches/ubuntu/intrepid/openldap/intrepid- proposed -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 305264] Re: gnutls regression: failure in certificate chain validation
** Branch linked: lp:~ubuntu-branches/ubuntu/intrepid/gnutls26/intrepid- security ** Branch linked: lp:~ubuntu-branches/ubuntu/intrepid/gnutls26/intrepid- proposed -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 305264] Re: gnutls regression: failure in certificate chain validation
Doug Engert wrote: The real fix is to get the gnutls people to support certificate directories, like OpenSSL. Why the rush to convert to gnutls when it has so many issues. (Licencing issues are low on my list of reasons.) Indeed, for a security tool you want a package written by experienced security developers, not a science project. This isn't a game after all. GnuTLS doesn't even merit a version number greater than 0.5, IMO. http://www.openldap.org/lists/openldap-devel/200802/msg00072.html -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 305264] Re: gnutls regression: failure in certificate chain validation
** Branch linked: lp:ubuntu/karmic/openldap -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 305264] Re: gnutls regression: failure in certificate chain validation
I guess we are having the same problem authenticating against a sun open directory server. I use intrepid-proposed on my client: r...@client:~# dpkg-query -W -f='${Package} ${Version} ${Source} ${Status}\n' | egrep 'slapd|ldap|gnutls' gnutls-bin 2.4.1-1ubuntu0.3 gnutls26 install ok installed ldap-auth-client 0.5.2 install ok installed ldap-auth-config 0.5.2 ldap-auth-client install ok installed ldap-utils 2.4.11-0ubuntu6.2 openldap install ok installed libcurl3-gnutls 7.18.2-1ubuntu4.3 curl install ok installed libgnutls26 2.4.1-1ubuntu0.3 gnutls26 install ok installed libldap-2.4-2 2.4.11-0ubuntu6.2 openldap install ok installed libnss-ldap 260-1ubuntu2 install ok installed libpam-ldap 184-4ubuntu2 install ok installed The rest is attached: ldap.conf output of gnutls-cli -p636 --x509cafile CAFILE srv.obf.obf.ob output of ldapsearch -x -ZZ -d7 If you need anything else, please ask. ** Attachment added: output of gnutls-cli -p636 --x509cafile CAFILE srv.obf.obf.ob http://launchpadlibrarian.net/28369414/gnutls-cli_-p636_--x509cafile_CAFILE_srv.obf.usc.at -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 305264] Re: gnutls regression: failure in certificate chain validation
** Attachment added: our ldap.conf http://launchpadlibrarian.net/28369422/ldap.conf -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 305264] Re: gnutls regression: failure in certificate chain validation
** Attachment added: output of ldapsearch -x -ZZ -d7 http://launchpadlibrarian.net/28369454/ldapsearch_-x_-ZZ_-d7 -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 305264] Re: gnutls regression: failure in certificate chain validation
The 18 month support period for Gutsy Gibbon 7.10 has reached its end of life - http://www.ubuntu.com/news/ubuntu-7.10-eol . As a result, we are closing the Gutsy task. ** Changed in: gnutls13 (Ubuntu Gutsy) Status: Fix Committed = Won't Fix -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 305264] Re: gnutls regression: failure in certificate chain validation
@Stephan: Could you provide the output of the following command run on the system where the ldap failure happens: dpkg-query -W -f='${Package} ${Version} ${Source} ${Status}\n' | egrep 'slapd|ldap|gnutls' -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 305264] Re: gnutls regression: failure in certificate chain validation
** Changed in: openldap (Ubuntu Hardy) Status: Triaged = Fix Committed -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 305264] Re: gnutls regression: failure in certificate chain validation
Even though the issue has been reported as 'fixed' I am still facing this problem with an OpenBSD OpenLDAP server: # ldapsearch -x -b 'dc=ini,dc=uzh,dc=ch' uid=stephan -H ldap://ldap.ini.uzh.ch -ZZ -d1 ... TLS: peer cert untrusted or revoked (0x42) ldap_err2string ldap_start_tls: Connect error (-11) I've tried on Hardy and Intrepid with the same results. I tried specifing TLS_CACERT with no luck. A openSUSE 11.0 clients works out of the box, though. -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 305264] Re: gnutls regression: failure in certificate chain validation
On Thu, Mar 26, 2009 at 04:35:38PM -, star26bsd wrote: Even though the issue has been reported as 'fixed' I am still facing this problem with an OpenBSD OpenLDAP server: # ldapsearch -x -b 'dc=ini,dc=uzh,dc=ch' uid=stephan -H ldap://ldap.ini.uzh.ch -ZZ -d1 ... TLS: peer cert untrusted or revoked (0x42) @Stephan: Please include the information requested at https://wiki.ubuntu.com/DebuggingOpenldap#ssl-client-failure. -- Mathias Gug Ubuntu Developer http://www.ubuntu.com -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 305264] Re: gnutls regression: failure in certificate chain validation
Mathias, in regards to the wiki you linked above, my preference when debugging these issues is to recommend debug level 7, which includes packet traces, instead of debug 1. It's much better (to me) to be able to see all the traffic, which includes the raw transfer of certificates and their DER DNs, when tracking down TLS problems. -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 305264] Re: gnutls regression: failure in certificate chain validation
** Changed in: openldap (Ubuntu Intrepid) Assignee: (unassigned) = Mathias Gug (mathiaz) ** Changed in: openldap (Ubuntu Hardy) Assignee: (unassigned) = Mathias Gug (mathiaz) -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 305264] Re: gnutls regression: failure in certificate chain validation
** Description changed: I noticed recently that landscape-client could no longer contact our staging server. Fortunately, contacting the production server is still ok. This command is an easy way to reproduce the problem. It is failing against staging.landscape.canonical.com: gnutls-cli -V --x509cafile /etc/ssl/certs/ca-certificates.crt staging.landscape.canonical.com I tried it in dapper, feisty, gutsy, hardy and intrepid. It only works in feisty, and I'm guessing it's because feisty is EOL'ed and didn't get an update. I concentrated the rest of my tests in dapper. With libgnutls12_1.2.9-2ubuntu1_i386.deb it works. With libgnutls12_1.2.9-2ubuntu1.3_i386.deb it breaks. Here is the chain as seen by gnutls against staging.landscape.canonical.com: [0] Subject's DN: O=*.landscape.canonical.com,OU=Domain Control Validated,CN=*.landscape.canonical.com Issuer's DN: C=US,ST=Arizona,L=Scottsdale,O=GoDaddy.com\, Inc.,OU=http://certificates.godaddy.com/repository,CN=Go Daddy Secure Certification Authority,serialNumber=07969287 [1] Subject's DN: C=US,ST=Arizona,L=Scottsdale,O=GoDaddy.com\, Inc.,OU=http://certificates.godaddy.com/repository,CN=Go Daddy Secure Certification Authority,serialNumber=07969287 Issuer's DN: C=US,O=The Go Daddy Group\, Inc.,OU=Go Daddy Class 2 Certification Authority [2] Subject's DN: C=US,O=The Go Daddy Group\, Inc.,OU=Go Daddy Class 2 Certification Authority Issuer's DN: L=ValiCert Validation Network,O=ValiCert\, Inc.,OU=ValiCert Class 2 Policy Validation Authority,CN=http://www.valicert.com/,email=i...@valicert.com [3] Subject's DN: L=ValiCert Validation Network,O=ValiCert\, Inc.,OU=ValiCert Class 2 Policy Validation Authority,CN=http://www.valicert.com/,email=i...@valicert.com Issuer's DN: L=ValiCert Validation Network,O=ValiCert\, Inc.,OU=ValiCert Class 2 Policy Validation Authority,CN=http://www.valicert.com/,email=i...@valicert.com Notice that the last certificate in the chain is the CA certificate, which is self signed. I wonder if the recent security fix broke that: - debian/patches/91_CVE-2008-4989.diff: don't remove the last certificate if it is self-signed in lib/x509/verify.c Here is openssl's chain against the same site (staging): Certificate chain 0 s:/O=*.landscape.canonical.com/OU=Domain Control Validated/CN=*.landscape.canonical.com i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287 1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287 i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority 2 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//emailaddress=i...@valicert.com 3 s:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//emailaddress=i...@valicert.com i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//emailaddress=i...@valicert.com Openssl's s_client tool works, btw. + + TESTCASE for openldap SRU: + + 1. Generate a V1 root CA. Can be done with an openssl configuration that + does not use any x509 extensions. Make sure that the generated root CA + is a V1 root CA. + + 2. Generate a client private key and a V1 certificate signed by the root + CA above. Note that the CN of the certificate has to match the fqdn of + the test system. + + 3. Install slapd and ldap-utils on a test system and configure slapd to + use TLS: + + a. Enable TLS in cn=config backend: + + math...@t-slapd-i:~$ cat enable-ca.ldif + dn: cn=config + add: olcTLSCACertificateFile + olcTLSCACertificateFile: /etc/ldap/cacert.pem + + dn: cn=config + add: olcTLSCertificateFile + olcTLSCertificateFile: /etc/ldap/newcert.pem + + dn: cn=config + add: olcTLSCertificateKeyFile + olcTLSCertificateKeyFile: /etc/ldap/key.pem + + math...@t-slapd-i:~$ ldapmodify -D cn=admin,cn=config -x -w mypwd -f + enable-ca.ldif + + b. Copy the root CA certificate to /etc/ldap/cacert.pem, the host certificate to /etc/ldap/newcert.pem and the host private key to /etc/ldap/key.pem. Make them owned by the openldap user and group. + c. Append the root CA certificate (/etc/ldap/cacert.pem) to the host certificate file (/etc/ldap/newcert.pem). + d. Enable slaps in /etc/default/slapd. + e. Restart slapd. + + 4. Make sure that slapd is correctly configured to use TLS: + a. Downgrade libgnutls to the version in the release (not the one in -security, -update or -proposed). + b. Check that ldapsearch
[Bug 305264] Re: gnutls regression: failure in certificate chain validation
I've noticed strange behaviour which could be related to this bug. #certtool -i ldap-cert.pem | grep -i issu Issuer: C=RU,ST=State,L=City,O=company,OU=SysAdmin,CN=ca.domain.my,email=ad...@domain.my #certtool -e --load-ca-certificate cacert.pem ldap-cert.pem Issued by: C=RU,ST=State,L=City,O=company,OU=SysAdmin,CN=ldap.florist.my,email=ad...@florist.ru certtool: Error: The last certificate is not self signed. Notice that in verify mode it things tha issuer is the same as CN of ldap-cert.pem, while in information mode it show issuer correctly. Of course openssl verify verifies ldap-cert.pem seamlessly. -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 305264] Re: gnutls regression: failure in certificate chain validation
Mathias Gug wrote: One workaround is to put all of the CA certs in the trusted CA certificate file. Yes, that is what we have had to do. The real fix is to get the gnutls people to support certificate directories, like OpenSSL. Why the rush to convert to gnutls when it has so many issues. (Licencing issues are low on my list of reasons.) If the system running slapd is on hardy (or intrepid or jaunty) you should also add all of the CA certificates to the server certificate file - this is to workaround a bug where the slapd daemon doesn't send all of the CA certificates to the client. All or just the intermediate certificates? Another issue with gnutls, no intermediate file (or directory) of certificates. -- Douglas E. Engert deeng...@anl.gov Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 305264] Re: gnutls regression: failure in certificate chain validation
On Mon, Mar 09, 2009 at 02:21:58PM -, Doug Engert wrote: The real fix is to get the gnutls people to support certificate directories, like OpenSSL. Why the rush to convert to gnutls when it has so many issues. (Licencing issues are low on my list of reasons.) Licensing was the main motivation to move to 2.4 and GnuTLS. The other option was to keep the client libraries to 2.1. If the system running slapd is on hardy (or intrepid or jaunty) you should also add all of the CA certificates to the server certificate file - this is to workaround a bug where the slapd daemon doesn't send all of the CA certificates to the client. All or just the intermediate certificates? The intermediate certificates should be enough. If not all of them should work. Another issue with gnutls, no intermediate file (or directory) of certificates. Please open a new bug to track this specific issue. -- Mathias Gug Ubuntu Developer http://www.ubuntu.com -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 305264] Re: gnutls regression: failure in certificate chain validation
** Changed in: openldap (Ubuntu Jaunty) Status: Triaged = In Progress -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 305264] Re: gnutls regression: failure in certificate chain validation
One workaround is to put all of the CA certs in the trusted CA certificate file. If the system running slapd is on hardy (or intrepid or jaunty) you should also add all of the CA certificates to the server certificate file - this is to workaround a bug where the slapd daemon doesn't send all of the CA certificates to the client. -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 305264] Re: gnutls regression: failure in certificate chain validation
This bug was fixed in the package openldap - 2.4.15-1ubuntu1 --- openldap (2.4.15-1ubuntu1) jaunty; urgency=low [ Steve Langasek ] * Update priority of libldap-2.4-2 to match the archive override. * Add the missing ldapexop and ldapurl tools to ldap-utils, as well as the ldapurl(1) manpage. Thanks to Peter Marschall for the patch. Closes: #496749. * Bump build-dependency on debhelper to 6 instead of 5, since that's what we're using. Closes: #498116. * Set the default SLAPD_SERVICES to ldap:/// ldapi:///, instead of using the built-in default of ldap:/// only. [ Mathias Gug ] * Merge from debian unstable, remaining changes: - Modify Maintainer value to match the DebianMaintainerField speficication. - AppArmor support: - debian/apparmor-profile: add AppArmor profile - debian/slapd.postinst: Reload AA profile on configuration - updated debian/slapd.README.Debian for note on AppArmor - debian/control: Recommends apparmor = 2.1+1075-0ubuntu6 - debian/control: Conflicts with apparmor-profiles 2.1+1075-0ubuntu4 to make sure that if earlier version of apparmour-profiles gets installed it won't overwrite our profile. - follow ApparmorProfileMigration and force apparmor compalin mode on some upgrades (LP: #203529) - debian/slapd.dirs: add etc/apparmor.d/force-complain - debian/slapd.preinst: create symlink for force-complain on pre-feisty upgrades, upgrades where apparmor-profiles profile is unchanged (ie non-enforcing) and upgrades where apparmor profile does not exist. - debian/slapd.postrm: remove symlink in force-complain/ on purge - debian/control: - Build-depend on libltdl7-dev rather then libltdl3-dev. - debian/patches/autogen.sh: - Call libtoolize with the --install option to install config.{guess,sub} files. - Don't use local statement in config script as it fails if /bin/sh points to bash (LP: #286063). - Disable the testsuite on hppa. Allows building of packages on this architecture again, once this package is in the archive. LP: #288908. - debian/slapd.postinst, debian/slapd.script-common: set correct ownership and permissions on /var/lib/ldap, /etc/ldap/slapd.d (group readable) and /var/run/slapd (world readable). (LP: #257667). - Enable nssoverlay: - debian/patches/nssov-build, debian/rules: Build and package the nss overlay. - debian/schema/misc.ldif: add ldif file for the misc schema which defines rfc822MailMember (required by the nss overlay). - debian/{control,rules}: enable PIE hardening - Use cn=config as the default configuration backend instead of slapd.conf. Migrate slapd.conf file to /etc/ldap/slapd.d/ on upgrade asking the end user to enter a new password to control the access to the cn=config tree. * Dropped: - debian/patches/corrupt-contextCSN: The contextCSN can get corrupted at times. (ITS: #5947) Fixed in new upstream version 2.4.15. - debian/patches/fix-ucred-libc due to changes how newer glibc handle the ucred struct now. Implemented in Debian. * debian/patches/fix-ldap_back_entry_get_rwa.patch: fix test-0034 failure when built with PIE. * debian/patches/gnutls-enable-v1-ca-certs: Enable V1 CA certs to be trusted (LP: #305264). openldap (2.4.15-1) unstable; urgency=low [ Steve Langasek ] * New upstream version - Fixes a bug with the pcache overlay not returning cached entries (closes: #497697) - Update evolution-ntlm patch to apply to current Makefiles. - (tentatively) drop gnutls-ciphers, since this bug was reported to be fixed upstream in 2.4.8. The fix applied in 2.4.8 didn't match the patch from the bug report, so this should be watched for regressions. * Build against db4.7 instead of db4.2 at last! Closes: #421946. * Build with --disable-ndb, to avoid a misbuild when libmysqlclient is installed in the build environment. * Add -D_GNU_SOURCE to CFLAGS, apparently required for building with current headers in unstable -- Mathias Gug math...@ubuntu.com Fri, 06 Mar 2009 17:34:21 -0500 ** Changed in: openldap (Ubuntu Jaunty) Status: In Progress = Fix Released -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 305264] Re: gnutls regression: failure in certificate chain validation
I've attached the specific patch that enable V1 Certs to be trusted. ** Attachment added: gnutls-v1-cert-enabled.patch http://launchpadlibrarian.net/23565417/gnutls-v1-cert-enabled.patch -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 305264] Re: gnutls regression: failure in certificate chain validation
I was able to reproduce the libldap client bug: 0. Need two versions of openldap : one compiled with gnutls, the other with openssl. 1. Create a V1 CA. 2. Create a certificate to be used by slapd and sign it with the V1 CA. 3. Configure a slapd+openssl system with certificates issues above. 4. Try to connect to the slapd+openssl system with a libldap+gnutls client: math...@t-slapd-gnutls:~$ ldapsearch -b dc=vmnet -D cn=admin,dc=vmnet -x -w mypwd -H ldaps://t-slapd-openssl./ -d 1 ldap_url_parse_ext(ldaps://t-slapd-openssl./) ldap_create ldap_url_parse_ext(ldaps://t-slapd-openssl.:636/??base) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP t-slapd-openssl.:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 172.19.42.220:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 TLS: peer cert untrusted or revoked (0x82) TLS: can't connect: (unknown error code). ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) I've filed a bug in openldap bug tracker: http://www.OpenLDAP.org/its/index.cgi?findid=5992 Note that a possible workaround is to put *all* of the CA certificates from the chain in the TLS_CACERT file. If one of the intermediate CA certs is a V3 certificate gnutls shouldn't fail and the ldap connection should proceed. This is actually mentioned in the Admin guide: 16.2.2.1. TLS_CACERT filename This is equivalent to the server's TLSCACertificateFile option. As noted in the TLS Configuration section, a client typically may need to know about more CAs than a server, but otherwise the same considerations apply. which points to section 16.2.1.1. TLSCACertificateFile filename: If the signing CA was not a top-level (root) CA, certificates for the entire sequence of CA's from the signing CA to the top-level CA should be present. -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 305264] Re: gnutls regression: failure in certificate chain validation
libldap is now patched in OpenLDAP cvs HEAD. We anticipate releasing a bugfix-only 2.4.16 release very soon, with this fix included. -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 305264] Re: gnutls regression: failure in certificate chain validation
Dapper through Intrepid have been copied to -proposed now. ** Tags added: verification-needed -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 305264] Re: gnutls regression: failure in certificate chain validation
** Changed in: gnutls12 (Ubuntu Dapper) Status: Triaged = In Progress ** Changed in: gnutls13 (Ubuntu Gutsy) Status: Triaged = In Progress ** Changed in: gnutls13 (Ubuntu Hardy) Status: Triaged = In Progress ** Changed in: gnutls26 (Ubuntu Intrepid) Status: Triaged = In Progress ** Changed in: gnutls26 (Ubuntu Intrepid) Importance: Undecided = High -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 305264] Re: gnutls regression: failure in certificate chain validation
Upstream released 2.4.3 to address both the vulnerability and the known regressions. Reviewing upstream's mailing list shows no regressions so far with this version. I've sync'd Jaunty with 2.4.2-6, which brings its patches in line with upstream 2.4.3, so I am marking Jaunty as 'Fix Released'. I have backported the relevant patches to Dapper through Intrepid, and am testing them now. I will upload them shortly for testing. ** Changed in: gnutls26 (Ubuntu Jaunty) Status: Triaged = Fix Released -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 305264] Re: gnutls regression: failure in certificate chain validation
Thanks. Jamie Strandboge wrote: Upstream released 2.4.3 to address both the vulnerability and the known regressions. Reviewing upstream's mailing list shows no regressions so far with this version. I've sync'd Jaunty with 2.4.2-6, which brings its patches in line with upstream 2.4.3, so I am marking Jaunty as 'Fix Released'. I have backported the relevant patches to Dapper through Intrepid, and am testing them now. I will upload them shortly for testing. ** Changed in: gnutls26 (Ubuntu Jaunty) Status: Triaged = Fix Released -- Douglas E. Engert deeng...@anl.gov Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 305264] Re: gnutls regression: failure in certificate chain validation
Dapper - Intrepid have been uploaded to the ubuntu-security-proposed ppa (https://launchpad.net/~ubuntu-security-proposed/+archive/ppa). Once they have finished building, they can be pocket copied to -proposed and people can use https://wiki.ubuntu.com/Testing/EnableProposed. Please leave feedback here so they can be moved to -updates. ** Changed in: gnutls12 (Ubuntu Dapper) Status: In Progress = Fix Committed ** Changed in: gnutls13 (Ubuntu Gutsy) Status: In Progress = Fix Committed ** Changed in: gnutls13 (Ubuntu Hardy) Status: In Progress = Fix Committed ** Changed in: gnutls26 (Ubuntu Intrepid) Status: In Progress = Fix Committed -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 305264] Re: gnutls regression: failure in certificate chain validation
I believe applying the propsed patch is becoming increasingly urgent. It is obviously in the 2.6.4 and 2.4.3 releases of GnuTLS and AFAIK, it didn't break anything. Pinning down on 2.0.4-1 of libgnutls13 on is not a long-term solution, especially not for an LTS system. The patch has been verified as working in staging environments, and I believe we have to come to a decision. Maintaining my own version of gnutls for the next 4 years doesn't really appeal to me either.. Also, in my experience it is not uncommon to use home brewed root certificates without the basicConstraints extension, i.e. for authentication of the directory service. This configuration fails with the current ubuntu version. -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 305264] Re: gnutls regression: failure in certificate chain validation
Commenting per request in #ubuntu-meeting. It is a really unfortunate situation that these certificates unintentionally passed verification before the updates. IMO, the security fix (that is also in other distributions now) is needed and should not be backed out. Without it, man-in-the middle attacks against certificate chains are much easier to conduct. From a security perspective, the patch needs to stay and the gnutls defaults of disabling V1 certificates need to stay the same. I am well aware that the current situation breaks certain configurations, and do not feel I can make the final decision. There is also the patch in bug #314915, also discussed upstream, that may be an option. AFAICT, this patch has not been applied upstream yet and I feel uncomfortable applying it without more Debian and Gnutls feedback (lately, each time this section of code has been touched another bug in the certificate chain verification popped up). -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 305264] Re: gnutls regression: failure in certificate chain validation
** Changed in: gnutls26 (Debian) Bugwatch: Debian Bug tracker #507633 = Debian Bug tracker #509593 -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 305264] Re: gnutls regression: failure in certificate chain validation
I have finally been able to reproduce this with ldapsearch. After performing: $ sudo apt-get install ca-certificates ldap-utils I tried to do on unpatched hardy: $ LDAPTLS_CACERT=/etc/ssl/certs/ca-certificates.crt ldapsearch -ZZ -H ldaps://Ian's public ldap server:636/ -d 1 ... ldap_open_defconn: successful ... and then on patched hardy: $ LDAPTLS_CACERT=/etc/ssl/certs/ca-certificates.crt ldapsearch -ZZ -H ldaps://Ian's public ldap server:636/ -d 1 ... TLS: peer cert untrusted or revoked (0x82) ldap_err2string ldap_start_tls: Can't contact LDAP server (-1) All patched versions of gnutls on Hardy, Intrepid, Jaunty and Debian Sid are affected (Dapper and Gutsy ldap-utils use openssl and are not affected). I cannot reproduce this with the gnutls tools. I have Ian's certificate and the result of: $ certtool -e --infile Ian's certificate is the same for unpatched and patched versions of gnutls on hardy and intrepid, and also jaunty. I then did: $ gnutls-cli -V --x509cafile /etc/ssl/certs/ca-certificates.crt -p 636 \ Ian's public ldap server and it works fine on patched and unpatched versions of gnutls on hardy and intrepid, and also on jaunty. ** Also affects: openldap (Ubuntu) Importance: Undecided Status: New ** Changed in: openldap (Ubuntu Dapper) Status: New = Invalid ** Changed in: openldap (Ubuntu Gutsy) Status: New = Invalid ** Changed in: openldap (Ubuntu Hardy) Status: New = Confirmed ** Changed in: openldap (Ubuntu Jaunty) Status: New = Confirmed -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 305264] Re: gnutls regression: failure in certificate chain validation
** Changed in: openldap (Ubuntu Intrepid) Status: New = Confirmed -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 305264] Re: gnutls regression: failure in certificate chain validation
The ldap issue has been reported in Debian bug http://bugs.debian.org /cgi-bin/bugreport.cgi?bug=509593. Ian, would you mind adding your ldap server URL to the bug? This way other developers can test against it. If not, I mentioned in the Debian report that I would give the URL to the maintainer privately. -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 305264] Re: gnutls regression: failure in certificate chain validation
I compiled 2.6.3 on Jaunty and it also gives the same error. -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 305264] Re: gnutls regression: failure in certificate chain validation
For clarity: Dapper, Gutsy, Hardy and Intrepid have the same patch as Jaunty (and Sid), which is the same as upstream 2.6.3. -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs