Bug#514578: libgnutls26: LDAP STARTTLS is broken

Simon Josefsson simon at josefsson.org
Mon Feb 9 16:03:20 UTC 2009

On Mon, 2009-02-09 at 16:48 +0100, Gabor Gombas wrote:
> On Mon, Feb 09, 2009 at 01:40:59PM +0100, Simon Josefsson wrote:
> > Please provide output from:
> > 
> > gnutls-cli -p 663 your.ldap.server -d 4711 --print-cert
> Here it is:

Thanks.  The server certificate is signed using RSA-MD5 so the failure
is correct.

> > Replacing your.ldap.server as appropriate.
> > 
> > I suspect your chain contains a certificate signed with RSA-MD5, if so
> > you need to trust an intermediary certificate directly to work around
> > the problem.  You'll need 2.4.2-6 for this to work.
> There is no intermediary certificate. The server's cert is signed by the
> top-level CA directly, and TLS_CACERT in ldap.conf points to the CA
> certificate. I can't point TLS_CACERT to the server's certificate since
> then I couldn't use different LDAP servers.

Could you try adding the server certificate to the TLS_CACERT file?  I
believe the file should be able to hold more than just one certificate.

Given the number of similar problems reported recently, I believe
openldap should be able to provide an option to pass the
GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5 flag to gnutls.  It would make it
easier for users to deal with the transition.


More information about the Pkg-gnutls-maint mailing list