Bug#514578: libgnutls26: LDAP STARTTLS is broken

Simon Josefsson simon at josefsson.org
Mon Feb 9 12:40:59 UTC 2009

Gábor Gombás <gombasg at sztaki.hu> writes:

> Package: libgnutls26
> Version: 2.4.2-5
> Severity: important
> Hi,
> After upgrading to libgnutls26 2.4.2-5, LDAP authentication fails (including
> ldap-utils, libnss-ldap and apache's mod_authnz_ldap). The error message from
> ldapsearch ends with:
> 	TLS: peer cert untrusted or revoked (0x102)
> 	ldap_err2string
> 	ldap_start_tls: Connect error (-11)
> 2.4.2-6 in sid is also affected. Re-installing 2.4.2-4 fixes the problem.

Please provide output from:

gnutls-cli -p 663 your.ldap.server -d 4711 --print-cert

Replacing your.ldap.server as appropriate.

I suspect your chain contains a certificate signed with RSA-MD5, if so
you need to trust an intermediary certificate directly to work around
the problem.  You'll need 2.4.2-6 for this to work.


More information about the Pkg-gnutls-maint mailing list