[Bug 305264] Re: gnutls regression: failure in certificate chain validation

** Changed in: gnutls26 (Debian) Status: Unknown => Fix Released -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/305264 Title: gnutls regression: failure in certificate chain

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

** Branch linked: lp:ubuntu/dapper-security/gnutls12 -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-serve

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

Just noting for posterity, as of GnuTLS 2.8.0 (released 2009-05-27) you can use %VERIFY_ALLOW_X509_V1_CA_CRT in the TLSCipherSuite options to enable V1 CA certs. I will probably #ifdef the current OpenLDAP patch to turn it off for GnuTLS >= 2.8.0. (Haven't decided on best course of action yet, give

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

Copied openldap 2.4.11-0ubuntu6.2 from -proposed to -updates. -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubu

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

This bug was fixed in the package openldap - 2.4.11-0ubuntu6.2 --- openldap (2.4.11-0ubuntu6.2) intrepid-proposed; urgency=low * debian/patches/gnutls-enable-v1-ca-certs: Enable V1 CA certs to be trusted (LP: #305264). -- Mathias GugWed, 25 Mar 2009 12:52:23 -0400 ** Chan

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

Copied gnutls26 2.4.1-1ubuntu0.3 from -proposed to -security and -updates. -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubu

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

This bug was fixed in the package gnutls26 - 2.4.1-1ubuntu0.3 --- gnutls26 (2.4.1-1ubuntu0.3) intrepid-security; urgency=low * Fix for certificate chain regressions introduced by fixes for CVE-2008-4989 * debian/patches/20_CVE-2008-4989.diff: updated to upstream's final 2.

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

Copied gnutls12 1.2.9-2ubuntu1.5 to dapper-security and dapper-updates ** Changed in: gnutls12 (Ubuntu Dapper) Status: Fix Committed => Fix Released ** Tags added: verification-done ** Tags removed: verification-needed -- gnutls regression: failure in certificate chain validation https:/

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

Hardy openldap2.3 was fixed awhile ago, but didn't auto-close: openldap2.3 (2.4.9-0ubuntu0.8.04.3) hardy-proposed; urgency=low * debian/patches/gnutls-enable-v1-ca-certs: Enable V1 CA certs to be trusted (LP: #305264). -- Mathias Gug < math...@ubuntu.com (mathiaz: 10900) [universe- con

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

We need to push gnutls12 in Dapper and gnutls26 in Intrepid in -proposed to -security since these fix CVE-2009-2409. Dapper should not be a problem with openldap since openldap uses libssl0.9.8 on Dapper. For Intrepid, openldap will need to be copied as was done with Hardy. ** CVE added: http://w

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

I ran into the same problem (the update to libgnutls13 2.0.4-1ubuntu2.5 broke LDAP auth, due to the certificate chain no longer validating). The quick fix was to set TLS_REQCERT to allow in /etc/ldap/ldap.conf, but that is just a temporary workaround. Indeed, using gnutls-cli to connect to server:

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

Attaching my openssl.cnf ** Attachment added: "openssl.cnf" http://launchpadlibrarian.net/28850996/openssl.cnf -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Server Team

Re: [Bug 305264] Re: gnutls regression: failure in certificate chain validation

Hi Andy, On Thu, Jul 09, 2009 at 03:51:04PM -, Andy Wettstein wrote: > If you want me to attach the openssl.cnf let me know. Could you please attach your openssl.cnf file so that it's easier to reproduce your environment? Thank you, -- Mathias Gug Ubuntu Developer http://www.ubuntu.com -

Re: [Bug 305264] Re: gnutls regression: failure in certificate chain validation

Mathias Gug wrote: > @Andy: > > Could you describe the X509 certs and CA you're using? > We were using ldap and Verisign, and the root CA was a V2 from 1999 which signed an intermediate cert that signed the server certs. I submitted to gnutls a few changes to allow for stoping at the intermedi

Re: [Bug 305264] Re: gnutls regression: failure in certificate chain validation

Copy of note sent on 1/8/2009: Attached are the server cert (auth2.it.anl.gov), the intermediate cert (f0a38a80.0) and the CA self signed cert (7651b327.0) a debug version of verify.c and partial output of an ldapsearch using the debug.c My patch has been #if 0'ed out at line 151. Lets refe

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

I am using a self created CA with certificates signed by it. I used this command to create it: openssl req -config openssl.cnf -new -x509 -extensions v3_ca -keyout physicsCA/private/cakey.pem -out physicsCA/cacert.pem -days 2190 I create and sign the certificates with these commands: openssl re

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

@Andy: Could you describe the X509 certs and CA you're using? -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ub

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

I'm seeing problems with the new version. Tests with either SSH or sudo, my first password attempt is rejected, yet the second attempt succeeds. I get this in the logs: pam_ldap: ldap_starttls_s: Connect error Setting tls_checkpeer to no in /etc/ldap.conf makes things work fine again. Reverti

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

** Branch linked: lp:~ubuntu-branches/ubuntu/hardy/openldap2.3/hardy- proposed -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

** Branch linked: lp:ubuntu/gutsy-updates/gnutls13 ** Branch linked: lp:~ubuntu-branches/ubuntu/gutsy/gnutls13/gutsy- proposed ** Branch linked: lp:~ubuntu-branches/ubuntu/hardy/gnutls13/hardy- security ** Branch linked: lp:~ubuntu-branches/ubuntu/hardy/gnutls13/hardy- proposed -- gnutls regre

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

This bug was fixed in the package gnutls13 - 2.0.4-1ubuntu2.5 --- gnutls13 (2.0.4-1ubuntu2.5) hardy-security; urgency=low * Fix for certificate chain regressions introduced by fixes for CVE-2008-4989 * debian/patches/91_CVE-2008-4989.diff: updated to upstream's final 2.4.2

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

For the openldap/hardy SRU: I have: (1) reproduced the acceptance of the v1 certificates as outlined in Mathias' test case by the ldap clients with ldap 2.4.9-0ubuntu0.8.04.2 and gnutls13 2.0.4-1ubuntu2. (2) reproduced the rejection of v1 certificates by the ldap clients wi

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

For the gnutls/hardy SRU: I have reproduced the acceptance of rsa/md2 v1 certificates by the version of gnutls13 in hardy-updates, 2.0.4-1ubuntu2.3, and can confirm that the version of gnutls13 in hardy-proposed does not accept rsa/md2 certificates. I have added a testcase for this situation in th

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

Sorry for my report, it was out of confusion between /etc/ldap.conf and /etc/ldap/ldap.conf. I think their names are rather unfortunate, but this is another issue. Mika -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug noti

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

** Branch linked: lp:~ubuntu-branches/ubuntu/intrepid/openldap/intrepid- proposed -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

** Branch linked: lp:ubuntu/karmic/openldap -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs ma

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

Doug Engert wrote: >The real fix is to get the gnutls people to support certificate >directories, like OpenSSL. Why the rush to convert to gnutls >when it has so many issues. (Licencing issues are low on my list of >reasons.) Indeed, for a security tool you want a package written by experienced s

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

** Branch linked: lp:~ubuntu-branches/ubuntu/intrepid/gnutls26/intrepid- security ** Branch linked: lp:~ubuntu-branches/ubuntu/intrepid/gnutls26/intrepid- proposed -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notificat

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

** Attachment added: "output of ldapsearch -x -ZZ -d7" http://launchpadlibrarian.net/28369454/ldapsearch_-x_-ZZ_-d7 -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Server

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

** Attachment added: "our ldap.conf" http://launchpadlibrarian.net/28369422/ldap.conf -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

I guess we are having the same problem authenticating against a sun open directory server. I use intrepid-proposed on my client: r...@client:~# dpkg-query -W -f='${Package} ${Version} ${Source} ${Status}\n' | egrep 'slapd|ldap|gnutls' gnutls-bin 2.4.1-1ubuntu0.3 gnutls26 install ok installed ldap

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

The 18 month support period for Gutsy Gibbon 7.10 has reached its end of life - http://www.ubuntu.com/news/ubuntu-7.10-eol . As a result, we are closing the Gutsy task. ** Changed in: gnutls13 (Ubuntu Gutsy) Status: Fix Committed => Won't Fix -- gnutls regression: failure in certificate c

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

@Stephan: Could you provide the output of the following command run on the system where the ldap failure happens: dpkg-query -W -f='${Package} ${Version} ${Source} ${Status}\n' | egrep 'slapd|ldap|gnutls' -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/b

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

@Martin Pitt: Ok, here's all the stuff: $ ldapsearch -x -b 'dc=ini,dc=uzh,dc=ch' uid=stephan -H ldap://ldap.ini.uzh.ch -ZZ -d7 ldap_url_parse_ext(ldap://ldap.ini.uzh.ch) ldap_create ldap_url_parse_ext(ldap://ldap.ini.uzh.ch:389/??base) ldap_extended_operation_s ldap_extended_operation ldap_send_i

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

** Changed in: openldap (Ubuntu Hardy) Status: Triaged => Fix Committed -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

Mathias, in regards to the wiki you linked above, my preference when debugging these issues is to recommend debug level 7, which includes packet traces, instead of debug 1. It's much better (to me) to be able to see all the traffic, which includes the raw transfer of certificates and their DER DNs,

Re: [Bug 305264] Re: gnutls regression: failure in certificate chain validation

On Thu, Mar 26, 2009 at 04:35:38PM -, star26bsd wrote: > Even though the issue has been reported as 'fixed' I am still facing > this problem with an OpenBSD OpenLDAP server: > > # ldapsearch -x -b 'dc=ini,dc=uzh,dc=ch' uid=stephan -H > ldap://ldap.ini.uzh.ch -ZZ -d1 > ... > > TLS: peer cert

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

Even though the issue has been reported as 'fixed' I am still facing this problem with an OpenBSD OpenLDAP server: # ldapsearch -x -b 'dc=ini,dc=uzh,dc=ch' uid=stephan -H ldap://ldap.ini.uzh.ch -ZZ -d1 ... TLS: peer cert untrusted or revoked (0x42) ldap_err2string ldap_start_tls: Connect error (

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

** Description changed: I noticed recently that landscape-client could no longer contact our staging server. Fortunately, contacting the production server is still ok. This command is an easy way to reproduce the problem. It is failing against staging.landscape.canonical.com: gnu

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

** Changed in: openldap (Ubuntu Intrepid) Assignee: (unassigned) => Mathias Gug (mathiaz) ** Changed in: openldap (Ubuntu Hardy) Assignee: (unassigned) => Mathias Gug (mathiaz) -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You rece

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

I've noticed strange behaviour which could be related to this bug. #certtool -i < ldap-cert.pem | grep -i issu Issuer: C=RU,ST=State,L=City,O=company,OU=SysAdmin,CN=ca.domain.my,email=ad...@domain.my #certtool -e --load-ca-certificate cacert.pem < ldap-cert.pem Issued by: C=RU

Re: [Bug 305264] Re: gnutls regression: failure in certificate chain validation

On Mon, Mar 09, 2009 at 02:21:58PM -, Doug Engert wrote: > The real fix is to get the gnutls people to support certificate > directories, like OpenSSL. Why the rush to convert to gnutls > when it has so many issues. (Licencing issues are low on my list of > reasons.) Licensing was the main mot

Re: [Bug 305264] Re: gnutls regression: failure in certificate chain validation

Mathias Gug wrote: > One workaround is to put all of the CA certs in the trusted CA > certificate file. Yes, that is what we have had to do. The real fix is to get the gnutls people to support certificate directories, like OpenSSL. Why the rush to convert to gnutls when it has so many issues. (L

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

I've attached the specific patch that enable V1 Certs to be trusted. ** Attachment added: "gnutls-v1-cert-enabled.patch" http://launchpadlibrarian.net/23565417/gnutls-v1-cert-enabled.patch -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

This bug was fixed in the package openldap - 2.4.15-1ubuntu1 --- openldap (2.4.15-1ubuntu1) jaunty; urgency=low [ Steve Langasek ] * Update priority of libldap-2.4-2 to match the archive override. * Add the missing ldapexop and ldapurl tools to ldap-utils, as well as the lda

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

One workaround is to put all of the CA certs in the trusted CA certificate file. If the system running slapd is on hardy (or intrepid or jaunty) you should also add all of the CA certificates to the server certificate file - this is to workaround a bug where the slapd daemon doesn't send all of th

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

** Changed in: openldap (Ubuntu Jaunty) Status: Triaged => In Progress -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

libldap is now patched in OpenLDAP cvs HEAD. We anticipate releasing a bugfix-only 2.4.16 release very soon, with this fix included. -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

I was able to reproduce the libldap client bug: 0. Need two versions of openldap : one compiled with gnutls, the other with openssl. 1. Create a V1 CA. 2. Create a certificate to be used by slapd and sign it with the V1 CA. 3. Configure a slapd+openssl system with certificates issues above. 4. Tr

Re: [Bug 305264] Re: gnutls regression: failure in certificate chain validation

Tried the Intrepid version, looks like it works. Thanks. Jamie Strandboge wrote: > Dapper through Intrepid have been copied to -proposed now. > > ** Tags added: verification-needed > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

Dapper through Intrepid have been copied to -proposed now. ** Tags added: verification-needed -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribe

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

Dapper - Intrepid have been uploaded to the ubuntu-security-proposed ppa (https://launchpad.net/~ubuntu-security-proposed/+archive/ppa). Once they have finished building, they can be pocket copied to -proposed and people can use https://wiki.ubuntu.com/Testing/EnableProposed. Please leave feedback

Re: [Bug 305264] Re: gnutls regression: failure in certificate chain validation

Thanks. Jamie Strandboge wrote: > Upstream released 2.4.3 to address both the vulnerability and the known > regressions. Reviewing upstream's mailing list shows no regressions so > far with this version. I've sync'd Jaunty with 2.4.2-6, which brings its > patches in line with upstream 2.4.3, so I

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

Upstream released 2.4.3 to address both the vulnerability and the known regressions. Reviewing upstream's mailing list shows no regressions so far with this version. I've sync'd Jaunty with 2.4.2-6, which brings its patches in line with upstream 2.4.3, so I am marking Jaunty as 'Fix Released'. I h

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

** Changed in: gnutls12 (Ubuntu Dapper) Status: Triaged => In Progress ** Changed in: gnutls13 (Ubuntu Gutsy) Status: Triaged => In Progress ** Changed in: gnutls13 (Ubuntu Hardy) Status: Triaged => In Progress ** Changed in: gnutls26 (Ubuntu Intrepid) Status: Triaged

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

Further discussion led to the observation that OpenLDAP's gnutls support is a port of the existing OpenSSL handling, and it's therefore reasonable for openldap itself to enable the V1 CA cert option in order to provide feature parity when building with GnuTLS vs. OpenSSL, even if this is not altoge

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

I believe applying the propsed patch is becoming increasingly urgent. It is obviously in the 2.6.4 and 2.4.3 releases of GnuTLS and AFAIK, it didn't break anything. Pinning down on 2.0.4-1 of libgnutls13 on is not a long-term solution, especially not for an LTS system. The patch has been verified

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

Commenting per request in #ubuntu-meeting. It is a really unfortunate situation that these certificates unintentionally passed verification before the updates. IMO, the security fix (that is also in other distributions now) is needed and should not be backed out. Without it, man-in-the middle atta

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

The Debian gnutls maintainer points to , which shows how this is a gnutls bug rather than an openldap one. Reopening the gnutls tasks and closing the openldap tasks. The upstream commit is given here. http://git.sa

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

** Changed in: gnutls26 (Debian) Bugwatch: Debian Bug tracker #507633 => Debian Bug tracker #509593 -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Server Team, which is

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

For clarity: Dapper, Gutsy, Hardy and Intrepid have the same patch as Jaunty (and Sid), which is the same as upstream 2.6.3. -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu S

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

I compiled 2.6.3 on Jaunty and it also gives the same error. -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubun

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

The ldap issue has been reported in Debian bug http://bugs.debian.org /cgi-bin/bugreport.cgi?bug=509593. Ian, would you mind adding your ldap server URL to the bug? This way other developers can test against it. If not, I mentioned in the Debian report that I would give the URL to the maintainer p

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

** Changed in: openldap (Ubuntu Intrepid) Status: New => Confirmed -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubun

[Bug 305264] Re: gnutls regression: failure in certificate chain validation

I have finally been able to reproduce this with ldapsearch. After performing: $ sudo apt-get install ca-certificates ldap-utils I tried to do on unpatched hardy: $ LDAPTLS_CACERT=/etc/ssl/certs/ca-certificates.crt ldapsearch -ZZ -H ldaps://:636/ -d 1 ... ldap_open_defconn: successful ... and th