Bug#514578: LDAP STARTTLS is broken

Simon Josefsson simon at josefsson.org
Tue Feb 10 12:06:09 UTC 2009

Brian May <brian at microcomaustralia.com.au> writes:

> Hello,
> This appears to break LDAP that uses cacert's class 3 certificate[1].
> More information at <http://blog.cacert.org/2009/01/356.html#comments>
>  From a previous report "you need to trust an intermediary certificate" 
> - I already do just that, but it doesn't work. As such, I don't believe 
> this is a security risk, because I have a known good copy of the 
> intermediary CA certificate.
> The server certificate itself is not based on md5.
> "renew my certificates" is not an option until cacert generates a new CA 
> certificate.
> Unfortunately the result of this may be that I may have to downgrade 
> security (e.g. disable TLS) in order to finish the upgrade to Lenny :-(
> Any work arounds would be appreciated ;-).

Are you using gnutls 2.4.2-6 from unstable?  It should be fixed in that
version.  It is not fixed in 2.4.2-5 (in testing), I believe.

> [1] actually I am not positive of this, as the output of "gnutls-cli -p 
> ldaps server -d 4711 --print-cert --x509cafile 
> /etc/ssl/certs/class3.pem" doesn't mention md5 anywhere

You'll need to pipe the output from gnutls-cli --print-cert to certtool
-i to get the signature algorithm.  This will be changed in the v2.7.x
branch, so that all details are printed by gnutls-cli.

> however I know the intermediate CA certificate is based on md5 so I am
> assuming it is the same issue as here.

I suspect it is the same problem.


More information about the Pkg-gnutls-maint mailing list