We encountered this bug today and it has the potential to be pretty nasty if you're unfortunate enough to hit it. In our case we have several systems which perform authentication against a Windows domain using LDAPS. We recently updated the TLS certificate on those systems and all the services which perform LDAPS authentication starting failing with the symptoms described earlier in this bug.
The new TLS certificate we installed had the same key size and hash algorithm, but it turned out the root CA & intermediate certificate were using SHA384 as the signature hash. This in turn caused the LDAPS connections to stop working. Given the CA's certificates were using SHA384 reissuing the certificate wasn't going to help and downgrading the TLS version was not at all desirable given the potential security implications. I've backported the commit referenced by Marc and confirmed it resolves the problem for us. In my view it'd be wise to push this out to 14.04 users as this issue is going to presumably become more prominent as more certificates start using stronger hash algorithms and TLS 1.2 becomes more prevalent. ** Patch added: "fix-tls12-handshake.diff" https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1444656/+attachment/4837425/+files/fix-tls12-handshake.diff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1444656 Title: GnuTLS TLS 1.2 handshake failure To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1444656/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
