Bug#509593: libgnutls26: ldap-utils fails with 'TLS: peer cert untrusted or revoked (0x82)' with latest gnutls26

Jamie Strandboge jamie at ubuntu.com
Tue Dec 23 17:16:39 UTC 2008 

Package: libgnutls26
Version: 2.4.2-4
Severity: normal

This was found as a result of the Ubuntu update to gnutls. This also
affects the Ubuntu development release (which has the same version of
gnutls26 as sid) and of course Debian Sid. For more information, please
see:

https://launchpad.net/bugs/305264


Steps to reproduce:
1. apt-get install ca-certificates ldap-utils

2. LDAPTLS_CACERT=/etc/ssl/certs/ca-certificates.crt ldapsearch -ZZ -H ldaps://<public ldap server>:636/ -d 1

Result:
ldap_url_parse_ext(ldaps://<public ldap server>:636/)
ldap_create
ldap_url_parse_ext(ldaps://<public ldap server>:636/??base)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP <public ldap server>:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying <public ip address>:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: peer cert untrusted or revoked (0x82)
ldap_err2string
ldap_start_tls: Can't contact LDAP server (-1)

Expected result:
....
ldap_open_defconn: successful
....

What's most interesting is that gnutls-cli and certtool show the
certificate as valid.

I'd be happy to give the URL for the server off-list (I am reporting
this on behalf of the initial reporter who did not divulge the
information publicly.


-- System Information:
Debian Release: 5.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.27-7-generic (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash

Versions of packages libgnutls26 depends on:
ii  libc6                  2.7-16            GNU C Library: Shared libraries
ii  libgcrypt11            1.4.1-2           LGPL Crypto library - runtime libr
ii  libgpg-error0          1.4-2             library for common error values an
ii  libtasn1-3             1.5-1             Manage ASN.1 structures (runtime)
ii  zlib1g                 1:1.2.3.3.dfsg-12 compression library - runtime

libgnutls26 recommends no packages.

Versions of packages libgnutls26 suggests:
ii  gnutls-bin                    2.4.2-4    the GNU TLS library - commandline 

-- no debconf information

More information about the Pkg-gnutls-maint mailing list