Bug#514578: libgnutls26: LDAP STARTTLS is broken
Simon Josefsson
simon at josefsson.org
Mon Feb 9 16:03:20 UTC 2009
On Mon, 2009-02-09 at 16:48 +0100, Gabor Gombas wrote:
> On Mon, Feb 09, 2009 at 01:40:59PM +0100, Simon Josefsson wrote:
>
> > Please provide output from:
> >
> > gnutls-cli -p 663 your.ldap.server -d 4711 --print-cert
>
> Here it is:
Thanks. The server certificate is signed using RSA-MD5 so the failure
is correct.
> > Replacing your.ldap.server as appropriate.
> >
> > I suspect your chain contains a certificate signed with RSA-MD5, if so
> > you need to trust an intermediary certificate directly to work around
> > the problem. You'll need 2.4.2-6 for this to work.
>
> There is no intermediary certificate. The server's cert is signed by the
> top-level CA directly, and TLS_CACERT in ldap.conf points to the CA
> certificate. I can't point TLS_CACERT to the server's certificate since
> then I couldn't use different LDAP servers.
Could you try adding the server certificate to the TLS_CACERT file? I
believe the file should be able to hold more than just one certificate.
Given the number of similar problems reported recently, I believe
openldap should be able to provide an option to pass the
GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5 flag to gnutls. It would make it
easier for users to deal with the transition.
/Simon
More information about the Pkg-gnutls-maint
mailing list