Bug#509593: libgnutls26: ldap-utils fails with 'TLS: peer cert untrusted or revoked (0x82)' with latest gnutls26

Thijs Kinkhorst thijs at debian.org
Mon Feb 2 11:37:01 UTC 2009


> I am not sure this is serious. Douglas' bug applies to X509 v1 CA certs,
> which afaiui are rare.

> Gnutls is documented to not trust this type of certificates unless a
> special flag is set, afaict the bug is about the fact that gnutls
> distrusted them even if the flag was set. Even fixing this did not help
> Douglas, since it would have required changing nss-ldap to pass the
> flag.

I do agree that this is rightfully a 'serious' bug and the fix should
enter lenny. v1 CA certs are not that rare. The Globalsign root
certificate is a v1 cert, and Globalsign is a major vendor of

The problem is not really them being disabled by default but that the
intended mechanism to enable them was broken, making it completely
impossible to use the certificates in the intended way if you have a
certificate authority using such a root cert.

The fix in unstable is good and targeted, so I think it should be
unblocked and migrated before the release.


More information about the Pkg-gnutls-maint mailing list