[Bug 305264] Re: gnutls regression: failure in certificate chain validation

[Bug Watch Updater]

** Changed in: gnutls26 (Debian)
   Status: Unknown = Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/305264

Title:
  gnutls regression: failure in certificate chain validation

To manage notifications about this bug go to:
https://bugs.launchpad.net/landscape/+bug/305264/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

[Jamie Strandboge]

Hardy openldap2.3 was fixed awhile ago, but didn't auto-close:

openldap2.3 (2.4.9-0ubuntu0.8.04.3) hardy-proposed; urgency=low

  * debian/patches/gnutls-enable-v1-ca-certs: Enable V1 CA certs to be
  trusted (LP: #305264).

 -- Mathias Gug  math...@ubuntu.com (mathiaz: 10900)  [universe-
contributors]  [ubuntumembers]  [ubuntu-dev]  [ubuntu-bugcontrol]
[ubuntu-core-dev]Wed, 25 Mar 2009 14:30:35 -0400

** Changed in: openldap (Ubuntu Hardy)
   Status: Fix Committed = Fix Released

-- 
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

[Jamie Strandboge]

Copied gnutls12 1.2.9-2ubuntu1.5 to dapper-security and dapper-updates

** Changed in: gnutls12 (Ubuntu Dapper)
   Status: Fix Committed = Fix Released

** Tags added: verification-done
** Tags removed: verification-needed

-- 
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

[Launchpad Bug Tracker]

This bug was fixed in the package gnutls26 - 2.4.1-1ubuntu0.3

---
gnutls26 (2.4.1-1ubuntu0.3) intrepid-security; urgency=low

  * Fix for certificate chain regressions introduced by fixes for
CVE-2008-4989
  * debian/patches/20_CVE-2008-4989.diff: updated to upstream's final
2.4.2 - 2.4.3 patchset for lib/x509/verify.c to fix CVE-2008-4989 and
address all known regressions. To summarize from upstream:
- Fix X.509 certificate chain validation error (CVE-2008-4989)
- Fix chain verification for chains that end with RSA-MD2 CAs (LP: #305264)
- Deprecate X.509 validation chains using MD5 and MD2 signatures
- Accept chains where intermediary certs are trusted (LP: #305264)

 -- Jamie Strandboge ja...@ubuntu.com   Fri, 20 Feb 2009 12:24:43
-0600

** Changed in: gnutls26 (Ubuntu Intrepid)
   Status: Fix Committed = Fix Released

-- 
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

[Jamie Strandboge]

Copied gnutls26 2.4.1-1ubuntu0.3 from -proposed to -security and
-updates.

-- 
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

[Launchpad Bug Tracker]

This bug was fixed in the package openldap - 2.4.11-0ubuntu6.2

---
openldap (2.4.11-0ubuntu6.2) intrepid-proposed; urgency=low

  * debian/patches/gnutls-enable-v1-ca-certs: Enable V1 CA certs to be
trusted (LP: #305264).

 -- Mathias Gug math...@ubuntu.com   Wed, 25 Mar 2009 12:52:23 -0400

** Changed in: openldap (Ubuntu Intrepid)
   Status: Fix Committed = Fix Released

-- 
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

[Jamie Strandboge]

Copied openldap 2.4.11-0ubuntu6.2 from -proposed to -updates.

-- 
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

[Howard Chu]

Just noting for posterity, as of GnuTLS 2.8.0 (released 2009-05-27) you
can use %VERIFY_ALLOW_X509_V1_CA_CRT in the TLSCipherSuite options to
enable V1 CA certs. I will probably #ifdef the current OpenLDAP patch to
turn it off for GnuTLS = 2.8.0. (Haven't decided on best course of
action yet, given http://bugs.debian.org/cgi-
bin/bugreport.cgi?bug=541256 )

** Bug watch added: Debian Bug tracker #541256
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=541256

-- 
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

[Launchpad Bug Tracker]

** Branch linked: lp:ubuntu/dapper-security/gnutls12

-- 
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

[Jamie Strandboge]

We need to push gnutls12 in Dapper and gnutls26 in Intrepid in -proposed
to -security  since these fix CVE-2009-2409. Dapper should not be a
problem with openldap since openldap uses libssl0.9.8 on Dapper. For
Intrepid, openldap will need to be copied as was done with Hardy.

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2009-2409

-- 
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

[Andrew Daugherity]

I ran into the same problem (the update to libgnutls13 2.0.4-1ubuntu2.5
broke LDAP auth, due to the certificate chain no longer validating).
The quick fix was to set TLS_REQCERT to allow in /etc/ldap/ldap.conf,
but that is just a temporary workaround.

Indeed, using gnutls-cli to connect to server:636 fails verification
with this version, whereas after rolling back to -ubuntu2.3 it succeeds.
'openssl s_client' is still happy.  I discovered that this is because
both my CA cert and the server cert were using md5/rsa, which are no
longer supported by gnutls.  Note the changelog entry  - Deprecate
X.509 validation chains using MD5 and MD2 signatures; apparently by
deprecate they mean no longer support at all.

Apparently gnutls doesn't mind the self-signed CA cert being MD5, but it's not 
happy with the server cert:
and...@shiny:~$ echo|gnutls-cli --print-cert --x509cafile isc-ca.crt -p 636 
ldap.server | certtool -e
Certificate[0]: C=US,ST=Texas,L=College 
Station,O=TAMU,OU=VPR,CN=ldap.server,email=supp...@foo.bar
Issued by: C=US,ST=Texas,L=College Station,O=TAMU,OU=VPR,CN=ISC 
CA,email=supp...@foo.bar
Verifying against certificate[1].
Verification output: Not verified, Insecure algorithm.

Certificate[1]: C=US,ST=Texas,L=College Station,O=TAMU,OU=VPR,CN=ISC 
CA,email=supp...@foo.bar
Issued by: C=US,ST=Texas,L=College Station,O=TAMU,OU=VPR,CN=ISC 
CA,email=supp...@foo.bar
Verification output: Verified.
[names/emails sanitized somewhat]

After generating a new server cert using sha1/rsa and plugging it into
slapd (but still using the same md5/rsa CA cert), gnutls is now happy,
and in turn, so is pam_ldap.  I suppose the better solution would be to
create a new sha1 CA cert also, but that would require copying it to all
the clients, which is a lot more work.

Andy, I notice you have default_md=md5 in your openssl.cnf.  You should
change this to sha1 or something else not considered broken, and
generate a new server cert, and that should solve your problem.

In summary, the recent gnutls update broke MD5 certs, but this was
intentional.  It would've been nice to announce this more loudly though.
(To me, deprecate means discourage future use, not remove
support.)

-- 
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

[Launchpad Bug Tracker]

** Branch linked: lp:~ubuntu-branches/ubuntu/hardy/openldap2.3/hardy-
proposed

-- 
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

[Andy Wettstein]

I'm seeing problems with the new version.

Tests with either SSH or sudo, my first password attempt is rejected, yet the 
second attempt succeeds.  
I get this in the logs:
pam_ldap: ldap_starttls_s: Connect error

Setting tls_checkpeer to no in /etc/ldap.conf makes things work fine
again.

Reverting to 2.0.4-1ubuntu2.3 correct the issue as well.

-- 
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

[Mathias Gug]

@Andy:

Could you describe the X509 certs and CA you're using?

-- 
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

[Andy Wettstein]

I am using a self created CA with certificates signed by it.

I used this command to create it:
openssl req -config openssl.cnf -new -x509 -extensions v3_ca -keyout 
physicsCA/private/cakey.pem -out physicsCA/cacert.pem -days 2190

I create and sign the certificates with these commands:

openssl req -config openssl.cnf -new -nodes -keyout $1.key -out $1.csr -days 
1065
openssl ca -config openssl.cnf -policy policy_anything -out $1.crt -infiles 
$1.csr


The CA certificate file is distributed to all of my machines and is specified 
in the ldap.conf.

If you want me to attach the openssl.cnf let me know.

-- 
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

Re: [Bug 305264] Re: gnutls regression: failure in certificate chain validation

[Doug Engert]

Copy of note sent on 1/8/2009:


Attached are the server cert (auth2.it.anl.gov), the intermediate cert 
(f0a38a80.0)
and the CA self signed cert (7651b327.0) a debug version of verify.c
and partial output of an ldapsearch using the debug.c

My patch has been #if 0'ed out at line 151.

   Lets refer to the cert chain as A, B and C. The OpenLDAP server (using 
OpenSSL)
sends server cert A, intermediate cert B, and CA cert C.

The TLS_CACERT file has B and C.


The clist_size is then 3, and the code in  _gnutls_x509_verify_certificate
around lines 443 drop it to 2, leaving the chain as A, B.

The tcase_size is 2.

_gnutls_verify_certificate2 at line 452 is called with cert B and
tcas with B and C and flags 0.

At line 265, find_issuer is called with B. It returns C.
check_is_ca is called at line 297, which fails
because there is no BasicConstraint. The if at 293 looks correct too.


*BUT* if one trusts both B and C, do we need to verify C?
Why does the code arount line 265 not stop after finding that B is in the tcas,
rather then looking for C, and then verifying it?


If I try it again with the TLS_CACERT file with only B,
it also fails because it can not find the issuer of B.
If the code around line 265 was modified if B was found in the tcas,
this shopuld also work.


Simon Josefsson wrote:
 Douglas E. Engert deeng...@anl.gov writes:
 
 This is also being submitted to https://bugs.launchpad.net/bugs

 Using the Ubuntu version of libgnutls13_2.0.4-1ubuntu2.3 on Hardy 8.04.1,
 ldaps: has stopped working. This looks like it is related to
 the December changes that are also in gnutls-2.6.3. See attached
 patch that should work in both.

 ldapsearch -d 1  -H ldaps://...

 TLS: peer cert untrusted or revoked (0x82)
 ldap_err2string
 ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)


 The OpenLDAP ldap server certificate issued by Verisign is signed by:

 Verisign_Intermediate-Secure_Site_Managed_PKI_for_SSL_Standard_Certificates.pem

 which is signed by:
 Verisign_Class_3_Public_Primary_Certification_Authority.pem

 Both of these are in /etc/ssl/certs as 7651b327.0 and f0a38a80.0

 Verisign_Class_3_Public_Primary_Certification_Authority.pem
 is a self signed version 1 cert issued in 1996, with no extensions.
 
 Do you have a complete chain that triggers this?  It will help our
 regression test suite.
 
 I don't have f0a38a80.0 on my debian lenny system.  Does it also lack a
 basicConstraint?  Does it use RSA-MDx?  If yes, that would explain the
 problem.
 
 In lib/x509/verify.c  gnutls_x509_crt_get_ca_status is called
 but returns GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE as there is no
 Basic Constraint.

 The attached patch (to gnutls13_2.0.4-1ubuntu2.3) checks for
 this return and if it is a self signed cert, will treat it as a CA.
 The patch looks like it can be applied to 2.6.3 as well.
 
 The patch seems too permissive to me: the intention is that V1 certs
 should be rejected by GnuTLS unless GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT
 and/or GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT are passed as flags.
 
 Internally, GnuTLS by default enables the
 GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT flag when called via
 gnutls_certificate_verify_peers2.  So I think GnuTLS should typically
 accept this chain.
 
 Indeed, looking at the code that invokes the function you patched:
 
   if (!(flags  GNUTLS_VERIFY_DISABLE_CA_SIGN) 
   !((flags  GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT)  issuer_version == 1))
 {
   if (check_if_ca (cert, issuer, flags) == 0)
   {
 gnutls_assert ();
 if (output)
   *output |= GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID;
 return 0;
   }
 }
 
 It seems that the code you patched should not have been invoked at all
 if (flags  GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT)  issuer_version == 1
 is true (if I understand the logic correctly..).  Could you debug why
 this isn't the case?  Maybe issuer_version is wrong?
 
 A complete chain to reproduce this will let me debug it too.
 
 /Simon
 
 Clients on Solaris 9 and 10, and OpenLDAP using OpenSSL on any
 platform have no problems with this old cert.




 -- 

  Douglas E. Engert  deeng...@anl.gov
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
 --- ,verify.c2009-01-06 14:02:41.0 -0600
 +++ verify.c 2009-01-07 17:07:27.0 -0600
 @@ -130,11 +130,20 @@
}
}
  
 -  if (gnutls_x509_crt_get_ca_status (issuer, NULL) == 1)
 +  result = gnutls_x509_crt_get_ca_status (issuer, NULL);
 +  if (result == 1)
  {
result = 1;
goto cleanup;
  }
 + /* Old self signed CA certs may not have basic constrant */
 +  else if ((result == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) 
 +   (gnutls_x509_crt_check_issuer(issuer, issuer) == 1))
 +{
 +  gnutls_assert ();
 +  result = 1;
 +  goto cleanup;
 +}
else
  gnutls_assert ();
  
 ___
 Gnutls-devel 

Re: [Bug 305264] Re: gnutls regression: failure in certificate chain validation

[Doug Engert]

Mathias Gug wrote:
 @Andy:
 
 Could you describe the X509 certs and CA you're using?
 

We were using ldap and Verisign, and the root CA was a V2 from 1999
which signed an intermediate cert that signed the server certs.

I submitted to gnutls a few changes to allow for stoping at the
intermediate cert which I believe they added.

In the meantime, we turned off cert checking, and have now
replaced LDAP Verisign certs with certs issued localy.

I will send you a copy of the note to gnutls from 1/8/2009
which has the certs.


-- 

  Douglas E. Engert  deeng...@anl.gov
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

-- 
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

Re: [Bug 305264] Re: gnutls regression: failure in certificate chain validation

[Mathias Gug]

Hi Andy,

On Thu, Jul 09, 2009 at 03:51:04PM -, Andy Wettstein wrote:
 If you want me to attach the openssl.cnf let me know.

Could you please attach your openssl.cnf file so that it's easier to
reproduce your environment?

Thank you,

-- 
Mathias Gug
Ubuntu Developer  http://www.ubuntu.com

-- 
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

[Andy Wettstein]

Attaching my openssl.cnf

** Attachment added: openssl.cnf
   http://launchpadlibrarian.net/28850996/openssl.cnf

-- 
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

[Steve Beattie]

For the gnutls/hardy SRU:

I have reproduced the acceptance of rsa/md2 v1 certificates by the
version of gnutls13 in hardy-updates, 2.0.4-1ubuntu2.3, and can confirm
that the version of gnutls13 in hardy-proposed does not accept rsa/md2
certificates. I have added a testcase for this situation in the gnutls
test script in the lp:qa-regression-testing bzr tree. The package passes
the rest of the regression test in the testsuite, with the exception of
known bug 292604 which is not a regression (2.0.4-1ubuntu2.3 also fails
this test and it looks like it won't get fixed in hardy).

-- 
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

[Steve Beattie]

For the openldap/hardy SRU:

I have:

  (1) reproduced the acceptance of the v1 certificates as
  outlined in Mathias' test case by the ldap clients with ldap
  2.4.9-0ubuntu0.8.04.2 and gnutls13 2.0.4-1ubuntu2.

  (2) reproduced the rejection of v1 certificates by the ldap clients
  with ldap 2.4.9-0ubuntu0.8.04.2 and gnutls13 versions
  2.0.4-1ubuntu2.3 and 2.0.4-1ubuntu2.5.

  (3) confirmed that the with the version of the ldap packages in
  hardy-proposed, 2.4.9-0ubuntu0.8.04.3, that the v1 certificates
  are once again accepted when using gnutls13 versions
  2.0.4-1ubuntu2.3 and 2.0.4-1ubuntu2.5.

I have also run the ldap packages in hardy-proposed through the
openldap testcases in the lp:qa-regression-testing bzr tree with all
three available versions of gnutls13 (gnutls13 2.0.4-1ubuntu2,
2.0.4-1ubuntu2.3, 2.0.4-1ubuntu2.5) and confirmed that there were no
introduced regressions seen there as well.

I consider the openldap packages verification-done for hardy.

-- 
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

[Launchpad Bug Tracker]

This bug was fixed in the package gnutls13 - 2.0.4-1ubuntu2.5

---
gnutls13 (2.0.4-1ubuntu2.5) hardy-security; urgency=low

  * Fix for certificate chain regressions introduced by fixes for
CVE-2008-4989
  * debian/patches/91_CVE-2008-4989.diff: updated to upstream's final
2.4.2 - 2.4.3 patchset for lib/x509/verify.c to fix CVE-2008-4989 and
address all known regressions. To summarize from upstream:
- Fix X.509 certificate chain validation error (CVE-2008-4989)
- Fix chain verification for chains that end with RSA-MD2 CAs (LP: #305264)
- Deprecate X.509 validation chains using MD5 and MD2 signatures
- Accept chains where intermediary certs are trusted (LP: #305264)

 -- Jamie Strandboge ja...@ubuntu.com   Fri, 20 Feb 2009 13:02:36
-0600

** Changed in: gnutls13 (Ubuntu Hardy)
   Status: Fix Committed = Fix Released

-- 
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

[Launchpad Bug Tracker]

** Branch linked: lp:ubuntu/gutsy-updates/gnutls13

** Branch linked: lp:~ubuntu-branches/ubuntu/gutsy/gnutls13/gutsy-
proposed

** Branch linked: lp:~ubuntu-branches/ubuntu/hardy/gnutls13/hardy-
security

** Branch linked: lp:~ubuntu-branches/ubuntu/hardy/gnutls13/hardy-
proposed

-- 
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

[Mika Pflüger]

Sorry for my report, it was out of confusion between /etc/ldap.conf and
/etc/ldap/ldap.conf. I think their names are rather unfortunate, but
this is another issue.

Mika

-- 
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

[Launchpad Bug Tracker]

** Branch linked: lp:~ubuntu-branches/ubuntu/intrepid/openldap/intrepid-
proposed

-- 
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

[Launchpad Bug Tracker]

** Branch linked: lp:~ubuntu-branches/ubuntu/intrepid/gnutls26/intrepid-
security

** Branch linked: lp:~ubuntu-branches/ubuntu/intrepid/gnutls26/intrepid-
proposed

-- 
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

[Howard Chu]

Doug Engert wrote:

The real fix is to get the gnutls people to support certificate
directories, like OpenSSL. Why the rush to convert to gnutls
when it has so many issues. (Licencing issues are low on my list of
reasons.)

Indeed, for a security tool you want a package written by experienced
security developers, not a science project. This isn't a game after all.
GnuTLS doesn't even merit a version number greater than 0.5, IMO.

http://www.openldap.org/lists/openldap-devel/200802/msg00072.html

-- 
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

[Launchpad Bug Tracker]

** Branch linked: lp:ubuntu/karmic/openldap

-- 
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

[Mika Pflüger]

I guess we are having the same problem authenticating against a sun open
directory server. I use intrepid-proposed on my client:

r...@client:~# dpkg-query -W -f='${Package} ${Version} ${Source} ${Status}\n' | 
egrep 'slapd|ldap|gnutls'
gnutls-bin 2.4.1-1ubuntu0.3 gnutls26 install ok installed
ldap-auth-client 0.5.2  install ok installed
ldap-auth-config 0.5.2 ldap-auth-client install ok installed
ldap-utils 2.4.11-0ubuntu6.2 openldap install ok installed
libcurl3-gnutls 7.18.2-1ubuntu4.3 curl install ok installed
libgnutls26 2.4.1-1ubuntu0.3 gnutls26 install ok installed
libldap-2.4-2 2.4.11-0ubuntu6.2 openldap install ok installed
libnss-ldap 260-1ubuntu2  install ok installed
libpam-ldap 184-4ubuntu2  install ok installed

The rest is attached:
ldap.conf
output of gnutls-cli -p636 --x509cafile CAFILE srv.obf.obf.ob
output of ldapsearch -x -ZZ -d7

If you need anything else, please ask.


** Attachment added: output of gnutls-cli -p636 --x509cafile CAFILE 
srv.obf.obf.ob
   
http://launchpadlibrarian.net/28369414/gnutls-cli_-p636_--x509cafile_CAFILE_srv.obf.usc.at

-- 
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

[Mika Pflüger]

** Attachment added: our ldap.conf
   http://launchpadlibrarian.net/28369422/ldap.conf

-- 
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

[Mika Pflüger]

** Attachment added: output of ldapsearch -x -ZZ -d7
   http://launchpadlibrarian.net/28369454/ldapsearch_-x_-ZZ_-d7

-- 
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

[Sergio Zanchetta]

The 18 month support period for Gutsy Gibbon 7.10 has reached its end of life -
http://www.ubuntu.com/news/ubuntu-7.10-eol . As a result, we are closing the
Gutsy task.

** Changed in: gnutls13 (Ubuntu Gutsy)
   Status: Fix Committed = Won't Fix

-- 
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

[Mathias Gug]

@Stephan:

Could you provide the output of the following command run on the system
where the ldap failure happens:

dpkg-query -W -f='${Package} ${Version} ${Source} ${Status}\n' | egrep
'slapd|ldap|gnutls'

-- 
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

[Mathias Gug]

** Changed in: openldap (Ubuntu Hardy)
   Status: Triaged = Fix Committed

-- 
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

[star26bsd]

Even though the issue has been reported as 'fixed' I am still facing
this problem with an OpenBSD OpenLDAP server:

# ldapsearch -x -b 'dc=ini,dc=uzh,dc=ch' uid=stephan -H ldap://ldap.ini.uzh.ch 
-ZZ -d1
...

TLS: peer cert untrusted or revoked (0x42)
ldap_err2string
ldap_start_tls: Connect error (-11)

I've tried on Hardy and Intrepid with the same results. I tried
specifing TLS_CACERT with no luck.

A openSUSE 11.0 clients works out of the box, though.

-- 
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

Re: [Bug 305264] Re: gnutls regression: failure in certificate chain validation

[Mathias Gug]

On Thu, Mar 26, 2009 at 04:35:38PM -, star26bsd wrote:
 Even though the issue has been reported as 'fixed' I am still facing
 this problem with an OpenBSD OpenLDAP server:
 
 # ldapsearch -x -b 'dc=ini,dc=uzh,dc=ch' uid=stephan -H 
 ldap://ldap.ini.uzh.ch -ZZ -d1
 ...
 
 TLS: peer cert untrusted or revoked (0x42)

@Stephan: Please include the information requested at
https://wiki.ubuntu.com/DebuggingOpenldap#ssl-client-failure.

-- 
Mathias Gug
Ubuntu Developer  http://www.ubuntu.com

-- 
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

[Howard Chu]

Mathias, in regards to the wiki you linked above, my preference when
debugging these issues is to recommend debug level 7, which includes
packet traces, instead of debug 1. It's much better (to me) to be able
to see all the traffic, which includes the raw transfer of certificates
and their DER DNs, when tracking down TLS problems.

-- 
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

[Mathias Gug]

** Changed in: openldap (Ubuntu Intrepid)
 Assignee: (unassigned) = Mathias Gug (mathiaz)

** Changed in: openldap (Ubuntu Hardy)
 Assignee: (unassigned) = Mathias Gug (mathiaz)

-- 
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

[Mathias Gug]

** Description changed:

  I noticed recently that landscape-client could no longer contact our
  staging server. Fortunately, contacting the production server is still
  ok.
  
  This command is an easy way to reproduce the problem. It is failing
  against staging.landscape.canonical.com:
  
  gnutls-cli -V --x509cafile /etc/ssl/certs/ca-certificates.crt
  staging.landscape.canonical.com
  
  I tried it in dapper, feisty, gutsy, hardy and intrepid. It only works
  in feisty, and I'm guessing it's because feisty is EOL'ed and didn't get
  an update.
  
  I concentrated the rest of my tests in dapper.
  
  With libgnutls12_1.2.9-2ubuntu1_i386.deb it works.
  With libgnutls12_1.2.9-2ubuntu1.3_i386.deb it breaks.
  
  Here is the chain as seen by gnutls against staging.landscape.canonical.com:
  [0]
  Subject's DN: O=*.landscape.canonical.com,OU=Domain Control 
Validated,CN=*.landscape.canonical.com
  Issuer's DN: C=US,ST=Arizona,L=Scottsdale,O=GoDaddy.com\, 
Inc.,OU=http://certificates.godaddy.com/repository,CN=Go Daddy Secure 
Certification Authority,serialNumber=07969287
  
  [1]
  Subject's DN: C=US,ST=Arizona,L=Scottsdale,O=GoDaddy.com\, 
Inc.,OU=http://certificates.godaddy.com/repository,CN=Go Daddy Secure 
Certification Authority,serialNumber=07969287
  Issuer's DN: C=US,O=The Go Daddy Group\, Inc.,OU=Go Daddy Class 2 
Certification Authority
  
  [2]
  Subject's DN: C=US,O=The Go Daddy Group\, Inc.,OU=Go Daddy Class 2 
Certification Authority
  Issuer's DN: L=ValiCert Validation Network,O=ValiCert\, Inc.,OU=ValiCert 
Class 2 Policy Validation 
Authority,CN=http://www.valicert.com/,email=i...@valicert.com
  
  [3]
  Subject's DN: L=ValiCert Validation Network,O=ValiCert\, Inc.,OU=ValiCert 
Class 2 Policy Validation 
Authority,CN=http://www.valicert.com/,email=i...@valicert.com
  Issuer's DN: L=ValiCert Validation Network,O=ValiCert\, Inc.,OU=ValiCert 
Class 2 Policy Validation 
Authority,CN=http://www.valicert.com/,email=i...@valicert.com
  
  
  Notice that the last certificate in the chain is the CA certificate, which is 
self signed. I wonder if the recent security fix broke that:
  - debian/patches/91_CVE-2008-4989.diff: don't remove the last certificate
if it is self-signed in lib/x509/verify.c
  
  Here is openssl's chain against the same site (staging):
  Certificate chain
   0 s:/O=*.landscape.canonical.com/OU=Domain Control 
Validated/CN=*.landscape.canonical.com
 i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, 
Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure 
Certification Authority/serialNumber=07969287
   1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, 
Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure 
Certification Authority/serialNumber=07969287
 i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification 
Authority
   2 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification 
Authority
 i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 
Policy Validation 
Authority/CN=http://www.valicert.com//emailaddress=i...@valicert.com
   3 s:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 
Policy Validation 
Authority/CN=http://www.valicert.com//emailaddress=i...@valicert.com
 i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 
Policy Validation 
Authority/CN=http://www.valicert.com//emailaddress=i...@valicert.com
  
  Openssl's s_client tool works, btw.
+ 
+ TESTCASE for openldap SRU:
+ 
+ 1. Generate a V1 root CA. Can be done with an openssl configuration that
+ does not use any x509 extensions. Make sure that the generated root CA
+ is a V1 root CA.
+ 
+ 2. Generate a client private key and a V1 certificate signed by the root
+ CA above. Note that the CN of the certificate has to match the fqdn of
+ the test system.
+ 
+ 3. Install slapd and ldap-utils on a test system and configure slapd to
+ use TLS:
+ 
+   a. Enable TLS in cn=config backend:
+ 
+ math...@t-slapd-i:~$ cat enable-ca.ldif 
+ dn: cn=config
+ add: olcTLSCACertificateFile
+ olcTLSCACertificateFile: /etc/ldap/cacert.pem
+ 
+ dn: cn=config
+ add: olcTLSCertificateFile
+ olcTLSCertificateFile: /etc/ldap/newcert.pem
+ 
+ dn: cn=config
+ add: olcTLSCertificateKeyFile
+ olcTLSCertificateKeyFile: /etc/ldap/key.pem
+ 
+ math...@t-slapd-i:~$ ldapmodify -D cn=admin,cn=config -x -w mypwd -f
+ enable-ca.ldif
+ 
+   b. Copy the root CA certificate to /etc/ldap/cacert.pem, the host 
certificate to  /etc/ldap/newcert.pem and the host private key to 
/etc/ldap/key.pem. Make them owned by the openldap user and group. 
+   c. Append the root CA certificate (/etc/ldap/cacert.pem) to the host 
certificate file (/etc/ldap/newcert.pem).
+   d. Enable slaps in /etc/default/slapd.
+   e. Restart slapd.
+ 
+ 4. Make sure that slapd is correctly configured to use TLS:
+   a. Downgrade libgnutls to the version in the release (not the one in 
-security, -update or  -proposed).
+   b. Check that ldapsearch 

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

[redbaron]

I've noticed strange behaviour which could be related to this bug.

#certtool -i  ldap-cert.pem  | grep -i issu
Issuer: 
C=RU,ST=State,L=City,O=company,OU=SysAdmin,CN=ca.domain.my,email=ad...@domain.my

#certtool -e --load-ca-certificate cacert.pem  ldap-cert.pem 
Issued by: 
C=RU,ST=State,L=City,O=company,OU=SysAdmin,CN=ldap.florist.my,email=ad...@florist.ru
certtool: Error: The last certificate is not self signed.

Notice that in verify mode it things tha issuer is the same as CN of
ldap-cert.pem, while in information mode it show issuer correctly.

Of course openssl verify verifies ldap-cert.pem seamlessly.

-- 
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

Re: [Bug 305264] Re: gnutls regression: failure in certificate chain validation

[Doug Engert]

Mathias Gug wrote:
 One workaround is to put all of the CA certs in the trusted CA
 certificate file.

Yes, that is what we have had to do.

The real fix is to get the gnutls people to support certificate
directories, like OpenSSL. Why the rush to convert to gnutls
when it has so many issues. (Licencing issues are low on my list of
reasons.)

 
 If the system running slapd is on hardy (or intrepid or jaunty) you
 should also add all of the CA certificates to the server certificate
 file - this is to workaround a bug where the slapd daemon doesn't send
 all of the CA certificates to the client.

All or just the intermediate certificates?

Another issue with gnutls, no intermediate file (or directory) of
certificates.



--

  Douglas E. Engert  deeng...@anl.gov
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

-- 
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

Re: [Bug 305264] Re: gnutls regression: failure in certificate chain validation

[Mathias Gug]

On Mon, Mar 09, 2009 at 02:21:58PM -, Doug Engert wrote:
 The real fix is to get the gnutls people to support certificate
 directories, like OpenSSL. Why the rush to convert to gnutls
 when it has so many issues. (Licencing issues are low on my list of
 reasons.)

Licensing was the main motivation to move to 2.4 and GnuTLS. The other
option was to keep the client libraries to 2.1.

  If the system running slapd is on hardy (or intrepid or jaunty) you
  should also add all of the CA certificates to the server certificate
  file - this is to workaround a bug where the slapd daemon doesn't send
  all of the CA certificates to the client.
 
 All or just the intermediate certificates?
 

The intermediate certificates should be enough. If not all of them
should work.

 Another issue with gnutls, no intermediate file (or directory) of
 certificates.


Please open a new bug to track this specific issue.

-- 
Mathias Gug
Ubuntu Developer  http://www.ubuntu.com

-- 
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

[Mathias Gug]

** Changed in: openldap (Ubuntu Jaunty)
   Status: Triaged = In Progress

-- 
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

[Mathias Gug]

One workaround is to put all of the CA certs in the trusted CA
certificate file.

If the system running slapd is on hardy (or intrepid or jaunty) you
should also add all of the CA certificates to the server certificate
file - this is to workaround a bug where the slapd daemon doesn't send
all of the CA certificates to the client.

-- 
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

[Launchpad Bug Tracker]

This bug was fixed in the package openldap - 2.4.15-1ubuntu1

---
openldap (2.4.15-1ubuntu1) jaunty; urgency=low

  [ Steve Langasek ]
  * Update priority of libldap-2.4-2 to match the archive override.
  * Add the missing ldapexop and ldapurl tools to ldap-utils, as well as the
ldapurl(1) manpage.  Thanks to Peter Marschall for the patch.
Closes: #496749.
  * Bump build-dependency on debhelper to 6 instead of 5, since that's
what we're using.  Closes: #498116.
  * Set the default SLAPD_SERVICES to ldap:/// ldapi:///, instead of using
the built-in default of ldap:/// only.

  [ Mathias Gug ]
  * Merge from debian unstable, remaining changes:
- Modify Maintainer value to match the DebianMaintainerField
  speficication.
- AppArmor support:
  - debian/apparmor-profile: add AppArmor profile
  - debian/slapd.postinst: Reload AA profile on configuration
  - updated debian/slapd.README.Debian for note on AppArmor
  - debian/control: Recommends apparmor = 2.1+1075-0ubuntu6
  - debian/control: Conflicts with apparmor-profiles  2.1+1075-0ubuntu4
to make sure that if earlier version of apparmour-profiles gets
installed it won't overwrite our profile.
  - follow ApparmorProfileMigration and force apparmor compalin mode on
some upgrades (LP: #203529)
  - debian/slapd.dirs: add etc/apparmor.d/force-complain
  - debian/slapd.preinst: create symlink for force-complain on pre-feisty
upgrades, upgrades where apparmor-profiles profile is unchanged (ie
non-enforcing) and upgrades where apparmor profile does not exist.
  - debian/slapd.postrm: remove symlink in force-complain/ on purge
- debian/control:
  - Build-depend on libltdl7-dev rather then libltdl3-dev.
- debian/patches/autogen.sh:
  - Call libtoolize with the --install option to install config.{guess,sub}
files.
- Don't use local statement in config script as it fails if /bin/sh
  points to bash (LP: #286063).
- Disable the testsuite on hppa. Allows building of packages on this
  architecture again, once this package is in the archive.
  LP: #288908.
- debian/slapd.postinst, debian/slapd.script-common: set correct ownership
  and permissions on /var/lib/ldap, /etc/ldap/slapd.d (group readable) and
  /var/run/slapd (world readable). (LP: #257667).
- Enable nssoverlay:
  - debian/patches/nssov-build, debian/rules: Build and package
the nss overlay.
  - debian/schema/misc.ldif: add ldif file for the misc schema
which defines rfc822MailMember (required by the nss overlay).
- debian/{control,rules}: enable PIE hardening
- Use cn=config as the default configuration backend instead of
  slapd.conf. Migrate slapd.conf  file to /etc/ldap/slapd.d/ on upgrade
  asking the end user to enter a new password to control the access to the
  cn=config tree.
  * Dropped:
- debian/patches/corrupt-contextCSN: The contextCSN can get corrupted at
  times. (ITS: #5947) Fixed in new upstream version 2.4.15.
- debian/patches/fix-ucred-libc due to changes how newer glibc handle
  the ucred struct now. Implemented in Debian.
  * debian/patches/fix-ldap_back_entry_get_rwa.patch: fix test-0034 failure
when built with PIE.
  * debian/patches/gnutls-enable-v1-ca-certs: Enable V1 CA certs to be
trusted (LP: #305264).

openldap (2.4.15-1) unstable; urgency=low

  [ Steve Langasek ]
  * New upstream version
- Fixes a bug with the pcache overlay not returning cached entries
  (closes: #497697)
- Update evolution-ntlm patch to apply to current Makefiles.
- (tentatively) drop gnutls-ciphers, since this bug was reported to be
  fixed upstream in 2.4.8.  The fix applied in 2.4.8 didn't match the
  patch from the bug report, so this should be watched for regressions.
  * Build against db4.7 instead of db4.2 at last!  Closes: #421946.
  * Build with --disable-ndb, to avoid a misbuild when libmysqlclient is
installed in the build environment.
  * Add -D_GNU_SOURCE to CFLAGS, apparently required for building with
current headers in unstable

 -- Mathias Gug math...@ubuntu.com   Fri, 06 Mar 2009 17:34:21 -0500

** Changed in: openldap (Ubuntu Jaunty)
   Status: In Progress = Fix Released

-- 
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

[Mathias Gug]

I've attached the specific patch that enable V1 Certs to be trusted.

** Attachment added: gnutls-v1-cert-enabled.patch
   http://launchpadlibrarian.net/23565417/gnutls-v1-cert-enabled.patch

-- 
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

[Mathias Gug]

I was able to reproduce the libldap client bug:

0. Need two versions of openldap : one compiled with gnutls, the other with
openssl.

1. Create a V1 CA.
2. Create a certificate to be used by slapd and sign it with the V1 CA.
3. Configure a slapd+openssl system with certificates issues above.
4. Try to connect to the slapd+openssl system with a libldap+gnutls client:

math...@t-slapd-gnutls:~$ ldapsearch -b dc=vmnet -D cn=admin,dc=vmnet -x -w
mypwd -H ldaps://t-slapd-openssl./ -d 1
ldap_url_parse_ext(ldaps://t-slapd-openssl./)
ldap_create
ldap_url_parse_ext(ldaps://t-slapd-openssl.:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP t-slapd-openssl.:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 172.19.42.220:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: peer cert untrusted or revoked (0x82)
TLS: can't connect: (unknown error code).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

I've filed a bug in openldap bug tracker:
http://www.OpenLDAP.org/its/index.cgi?findid=5992

Note that a possible workaround is to put *all* of the CA certificates
from the chain in the TLS_CACERT file. If one of the intermediate CA
certs is a V3 certificate gnutls shouldn't fail and the ldap connection
should proceed.

This is actually mentioned in the Admin guide:

16.2.2.1. TLS_CACERT filename

  This is equivalent to the server's TLSCACertificateFile option. As
noted in the TLS Configuration section, a client typically  may need to
know about more CAs than a server, but otherwise the same considerations
apply.

which points to section 16.2.1.1. TLSCACertificateFile filename:

  If the signing CA was not a top-level (root) CA, certificates for the
entire sequence of CA's from the signing CA to the top-level CA should
be present.

-- 
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

[Howard Chu]

libldap is now patched in OpenLDAP cvs HEAD. We anticipate releasing a
bugfix-only 2.4.16 release very soon, with this fix included.

-- 
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

[Jamie Strandboge]

Dapper through Intrepid have been copied to -proposed now.

** Tags added: verification-needed

-- 
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

[Jamie Strandboge]

** Changed in: gnutls12 (Ubuntu Dapper)
   Status: Triaged = In Progress

** Changed in: gnutls13 (Ubuntu Gutsy)
   Status: Triaged = In Progress

** Changed in: gnutls13 (Ubuntu Hardy)
   Status: Triaged = In Progress

** Changed in: gnutls26 (Ubuntu Intrepid)
   Status: Triaged = In Progress

** Changed in: gnutls26 (Ubuntu Intrepid)
   Importance: Undecided = High

-- 
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

[Jamie Strandboge]

Upstream released 2.4.3 to address both the vulnerability and the known
regressions. Reviewing upstream's mailing list shows no regressions so
far with this version. I've sync'd Jaunty with 2.4.2-6, which brings its
patches in line with upstream 2.4.3, so I am marking Jaunty as 'Fix
Released'.

I have backported the relevant patches to Dapper through Intrepid, and
am testing them now. I will upload them shortly for testing.

** Changed in: gnutls26 (Ubuntu Jaunty)
   Status: Triaged = Fix Released

-- 
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

Re: [Bug 305264] Re: gnutls regression: failure in certificate chain validation

[Doug Engert]

Thanks.

Jamie Strandboge wrote:
 Upstream released 2.4.3 to address both the vulnerability and the known
 regressions. Reviewing upstream's mailing list shows no regressions so
 far with this version. I've sync'd Jaunty with 2.4.2-6, which brings its
 patches in line with upstream 2.4.3, so I am marking Jaunty as 'Fix
 Released'.
 
 I have backported the relevant patches to Dapper through Intrepid, and
 am testing them now. I will upload them shortly for testing.
 
 ** Changed in: gnutls26 (Ubuntu Jaunty)
Status: Triaged = Fix Released
 

--

  Douglas E. Engert  deeng...@anl.gov
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

-- 
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

[Jamie Strandboge]

Dapper - Intrepid have been uploaded to the ubuntu-security-proposed ppa
(https://launchpad.net/~ubuntu-security-proposed/+archive/ppa). Once
they have finished building, they can be pocket copied to -proposed and
people can use https://wiki.ubuntu.com/Testing/EnableProposed. Please
leave feedback here so they can be moved to -updates.

** Changed in: gnutls12 (Ubuntu Dapper)
   Status: In Progress = Fix Committed

** Changed in: gnutls13 (Ubuntu Gutsy)
   Status: In Progress = Fix Committed

** Changed in: gnutls13 (Ubuntu Hardy)
   Status: In Progress = Fix Committed

** Changed in: gnutls26 (Ubuntu Intrepid)
   Status: In Progress = Fix Committed

-- 
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

[Fredrik Ljunggren]

I believe applying the propsed patch is becoming increasingly urgent. It
is obviously in the  2.6.4 and 2.4.3 releases of GnuTLS and AFAIK, it
didn't break anything.

Pinning down on 2.0.4-1 of libgnutls13 on is not a long-term solution,
especially not for an LTS system. The patch has been verified as working
in staging environments, and I believe we have to come to a decision.

Maintaining my own version of gnutls for the next 4 years doesn't really
appeal to me either..

Also, in my experience it is not uncommon to use home brewed root
certificates without the basicConstraints extension, i.e. for
authentication of the directory service. This configuration fails with
the current ubuntu version.

-- 
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

[Jamie Strandboge]

Commenting per request in #ubuntu-meeting.

It is a really unfortunate situation that these certificates
unintentionally passed verification before the updates. IMO, the
security fix (that is also in other distributions now) is needed and
should not be backed out. Without it, man-in-the middle attacks against
certificate chains are much easier to conduct. From a security
perspective, the patch needs to stay and the gnutls defaults of
disabling V1 certificates need to stay the same.

I am well aware that the current situation breaks certain
configurations, and do not feel I can make the final decision.

There is also the patch in bug #314915, also discussed upstream, that
may be an option. AFAICT, this patch has not been applied upstream yet
and I feel uncomfortable applying it without more Debian and Gnutls
feedback (lately, each time this section of code has been touched
another bug in the certificate chain verification popped up).

-- 
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

[Steve Langasek]

** Changed in: gnutls26 (Debian)
 Bugwatch: Debian Bug tracker #507633 = Debian Bug tracker #509593

-- 
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

[Jamie Strandboge]

I have finally been able to reproduce this with ldapsearch.

After performing:
$ sudo apt-get install ca-certificates ldap-utils

I tried to do on unpatched hardy:
$ LDAPTLS_CACERT=/etc/ssl/certs/ca-certificates.crt ldapsearch -ZZ -H 
ldaps://Ian's public ldap server:636/ -d 1
...
ldap_open_defconn: successful
...

and then on patched hardy:
$ LDAPTLS_CACERT=/etc/ssl/certs/ca-certificates.crt ldapsearch -ZZ -H 
ldaps://Ian's public ldap server:636/ -d 1
...
TLS: peer cert untrusted or revoked (0x82)
ldap_err2string
ldap_start_tls: Can't contact LDAP server (-1)

All patched versions of gnutls on Hardy, Intrepid, Jaunty and Debian Sid
are affected (Dapper and Gutsy ldap-utils use openssl and are not
affected).

I cannot reproduce this with the gnutls tools. I have Ian's certificate
and the result of:
$ certtool -e --infile Ian's certificate

is the same for unpatched and patched versions of gnutls on hardy and
intrepid, and also jaunty.

I then did:
$ gnutls-cli -V --x509cafile /etc/ssl/certs/ca-certificates.crt -p 636 \
Ian's public ldap server

and it works fine on patched and unpatched versions of gnutls on hardy
and intrepid, and also on jaunty.


** Also affects: openldap (Ubuntu)
   Importance: Undecided
   Status: New

** Changed in: openldap (Ubuntu Dapper)
   Status: New = Invalid

** Changed in: openldap (Ubuntu Gutsy)
   Status: New = Invalid

** Changed in: openldap (Ubuntu Hardy)
   Status: New = Confirmed

** Changed in: openldap (Ubuntu Jaunty)
   Status: New = Confirmed

-- 
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

[Jamie Strandboge]

** Changed in: openldap (Ubuntu Intrepid)
   Status: New = Confirmed

-- 
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

[Jamie Strandboge]

The ldap issue has been reported in Debian bug http://bugs.debian.org
/cgi-bin/bugreport.cgi?bug=509593.

Ian, would you mind adding your ldap server URL to the bug? This way
other developers can test against it. If not, I mentioned in the Debian
report that I would give the URL to the maintainer privately.

-- 
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

[Jamie Strandboge]

I compiled 2.6.3 on Jaunty and it also gives the same error.

-- 
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

[Jamie Strandboge]

For clarity: Dapper, Gutsy, Hardy and Intrepid have the same patch as
Jaunty (and Sid), which is the same as upstream 2.6.3.

-- 
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs