Bug#514578: LDAP STARTTLS is broken
Brian May
brian at microcomaustralia.com.au
Mon Feb 9 23:03:12 UTC 2009
Hello,
This appears to break LDAP that uses cacert's class 3 certificate[1].
More information at <http://blog.cacert.org/2009/01/356.html#comments>
From a previous report "you need to trust an intermediary certificate"
- I already do just that, but it doesn't work. As such, I don't believe
this is a security risk, because I have a known good copy of the
intermediary CA certificate.
The server certificate itself is not based on md5.
"renew my certificates" is not an option until cacert generates a new CA
certificate.
Unfortunately the result of this may be that I may have to downgrade
security (e.g. disable TLS) in order to finish the upgrade to Lenny :-(
Any work arounds would be appreciated ;-).
Notes:
[1] actually I am not positive of this, as the output of "gnutls-cli -p
ldaps server -d 4711 --print-cert --x509cafile
/etc/ssl/certs/class3.pem" doesn't mention md5 anywhere, however I know
the intermediate CA certificate is based on md5 so I am assuming it is
the same issue as here.
If you want I can open a separate bug report on this.
--
Brian May <brian at microcomaustralia.com.au>
More information about the Pkg-gnutls-maint
mailing list