Bug#514807: libgnutls13: Security update causes "TLS certificate verification: Error, Unknown error"

Edward Allcutt emallcut at gleim.com
Wed Feb 11 00:21:26 UTC 2009

Package: libgnutls13
Version: 1.4.4-3+etch3
Severity: important

After the upgrade all embedded uses of LDAP fail with connection errors.
On investigations these seem to be caused by certificate validation

This was first noticed with nss_ldap. After enabling debugging, running
`getent group` produced error messages like:
TLS certificate verification: depth: 0, err: 130, subject: <snip DN/>
TLS certificate verification: Error, Unknown error

Similar problems occur for pam_ldap and apache mod_authnz_ldap.
Strangely, gnutls-cli verifies the server certificate with no problems.

The error was first seen in a STARTTLS only configuration. I have since
enabled ldaps to ease testing with gnutls-cli and confirmed it still
affects nss_ldap and apache switched to ldaps.

The root (trusted) certificate of our cert chain is an x509v1 cert, however I'd
expect gnutls-cli to complain if this were the issue.

-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-6-xen-amd64
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)

Versions of packages libgnutls13 depends on:
ii  libc6                  2.3.6.ds1-13etch8 GNU C Library: Shared libraries
ii  libgcrypt11            1.2.3-2           LGPL Crypto library - runtime libr
ii  libgpg-error0          1.4-1             library for common error values an
ii  liblzo1                1.08-3            data compression library (old vers
ii  libopencdk8            0.5.9-2           Open Crypto Development Kit (OpenC
ii  libtasn1-3             0.3.6-2           Manage ASN.1 structures (runtime)
ii  zlib1g                 1:1.2.3-13        compression library - runtime

libgnutls13 recommends no packages.

-- no debconf information

More information about the Pkg-gnutls-maint mailing list