Bug#506853: libgnutls26: 2.4.2-3 breaks OpenLDAP access

Mon Dec 8 14:16:06 UTC 2008

Thanks for your help, here is the output:

teilchen01:~# gnutls-cli -p 636 thea.physik.uni-kl.de -d 1 --print-cert
--x509cafile /etc/ssl/certs/thea_cacert.pem
Processed 1 CA certificate(s).
Resolving 'thea.physik.uni-kl.de'...
Connecting to '131.246.123.113:636'...
- Certificate type: X.509
 - Got a certificate list of 2 certificates.

 - Certificate[0] info:

-----BEGIN CERTIFICATE-----
MIIC7DCCAlWgAwIBAgIBATANBgkqhkiG9w0BAQUFADBnMQswCQYDVQQGEwJERTEM
MAoGA1UECBMDUkxQMSAwHgYDVQQKExdUZWNobmlzY2hlIFVuaXZlcnNpdGFldDEb
MBkGA1UECxMSRmFjaGJlcmVpY2ggUGh5c2lrMQswCQYDVQQDEwJDQTAeFw0wODA5
MTExMDUyMDdaFw0xODA5MDkxMDUyMDdaMIGTMQswCQYDVQQGEwJERTEMMAoGA1UE
CBMDUkxQMRcwFQYDVQQHEw5LYWlzZXJzbGF1dGVybjEgMB4GA1UEChMXVGVjaG5p
c2NoZSBVbml2ZXJzaXRhZXQxGzAZBgNVBAsTEkZhY2hiZXJlaWNoIFBoeXNpazEe
MBwGA1UEAxMVdGhlYS5waHlzaWsudW5pLWtsLmRlMIGfMA0GCSqGSIb3DQEBAQUA
A4GNADCBiQKBgQC/gTUrXSeNvuRH+ibdR7zvlCGs+66C6tDaq14SpEDiY/FEw/S4
mkhsHohiQkmqpcPJ0FONok7bvJryKZwwhGFHeESvvWjFVNIdxFgf6Jx2McKsRzBD
nbgVNeK6bywh2L5WgOeckRm0vUxCwX+jWtETorNHSYnZI9smmBtJ1FIPkQIDAQAB
o3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRl
ZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUS0IiRshnnlH2bneYeCn6OkY9nZAwHwYD
VR0jBBgwFoAU+rCwSUUzK53X9W5otZG4okyY/rswDQYJKoZIhvcNAQEFBQADgYEA
g0f6XFxpUL2hncpQcnKorNYdOkZkZHiKqu2SINtla+IbLZFO4nVVO+LKt+RCo2o7
tZIMLEU3aCeH5dgSEKQeyL5MPMg3MbA6ezjOBTkT/YgngzM4CMLOKcvAMLncfH/z
GYBW1DXijIy1r/SxO0k9zy8OEtKeOOUO0GqQTWuTOOg=
-----END CERTIFICATE-----

 # The hostname in the certificate matches 'thea.physik.uni-kl.de'.
 # valid since: Thu Sep 11 12:52:07 CEST 2008
 # expires at: Sun Sep  9 12:52:07 CEST 2018
 # fingerprint: 20:8B:D5:F0:F6:08:AC:34:9D:13:5B:89:98:5B:D1:63
 # Subject's DN: C=DE,ST=RLP,L=Kaiserslautern,O=Technische
Universitaet,OU=Fachbereich Physik,CN=thea.physik.uni-kl.de
 # Issuer's DN: C=DE,ST=RLP,O=Technische Universitaet,OU=Fachbereich
Physik,CN=CA

 - Certificate[1] info:

-----BEGIN CERTIFICATE-----
MIICvzCCAiigAwIBAgIBADANBgkqhkiG9w0BAQUFADBnMQswCQYDVQQGEwJERTEM
MAoGA1UECBMDUkxQMSAwHgYDVQQKExdUZWNobmlzY2hlIFVuaXZlcnNpdGFldDEb
MBkGA1UECxMSRmFjaGJlcmVpY2ggUGh5c2lrMQswCQYDVQQDEwJDQTAeFw0wODA5
MTExMDQ3NDRaFw0xODA5MDkxMDQ3NDRaMGcxCzAJBgNVBAYTAkRFMQwwCgYDVQQI
EwNSTFAxIDAeBgNVBAoTF1RlY2huaXNjaGUgVW5pdmVyc2l0YWV0MRswGQYDVQQL
ExJGYWNoYmVyZWljaCBQaHlzaWsxCzAJBgNVBAMTAkNBMIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQC76RbqsB5J+VvU1KbBCrkIL3lgY8BxgFvYF3HiHgxtCdqq
BmRpAaDBcVAuEb1ihhP68181sYQ1UPMY+zwBwXVNSVvjeBba1JjGmagwPnJXOCay
7Cw5orY8KB7U33neEOGrlz1EKQGVaPsr993wGD/7AmntuVuxrRVpzoDP5s0PIwID
AQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVy
YXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQU+rCwSUUzK53X9W5otZG4okyY/rsw
HwYDVR0jBBgwFoAU+rCwSUUzK53X9W5otZG4okyY/rswDQYJKoZIhvcNAQEFBQAD
gYEAUT+LmosiDHGuLAZmY40obam0eexJzn/g++mDy3FMh3WmMBKSsfwFsFsQ4k7N
lv1SCfTYeh2hpw/DQzkiYZUkcQI4mBR4hG5Zv56AfYQLGeLtN4VOOCMxguftvzv0
kziQa2QW+VzVJqV1gpRCRT30Jaa9s4u6ipO9DT5N03F4CcI=
-----END CERTIFICATE-----

 # valid since: Thu Sep 11 12:47:44 CEST 2008
 # expires at: Sun Sep  9 12:47:44 CEST 2018
 # fingerprint: 6E:77:06:02:15:27:B6:B7:A8:67:B4:BF:60:56:64:83
 # Subject's DN: C=DE,ST=RLP,O=Technische Universitaet,OU=Fachbereich
Physik,CN=CA
 # Issuer's DN: C=DE,ST=RLP,O=Technische Universitaet,OU=Fachbereich
Physik,CN=CA

- Peer's certificate is NOT trusted
- Version: TLS1.0
- Key Exchange: RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
*** Verifying server certificate failed...

- Stefan

Simon Josefsson schrieb:
> Stefan Söffing <soeffing at gmx.de> writes:
>
>   
>> Hi,
>>
>> thank you for looking into this problem.
>>
>> I just tried libgnutls26 2.4.2-4, unfortunately it doesn't solve this
>> problem for me, I still get
>>
>> - Peer's certificate is NOT trusted
>>
>> for the self-signed certificate. LDAP access is still broken.
>>     
>
> I need the (complete) output from gnutls-cli as requested earlier in
> this thread to debug this.  I can't connect to the server, it seems to
> disconnect directly.
>
> Thanks,
> /Simon
>   