Bug#514807: libgnutls13: Security update causes "TLS certificate verification: Error, Unknown error"
Edward Allcutt
emallcut at gleim.com
Wed Feb 11 00:21:26 UTC 2009
Package: libgnutls13
Version: 1.4.4-3+etch3
Severity: important
After the upgrade all embedded uses of LDAP fail with connection errors.
On investigations these seem to be caused by certificate validation
problems.
This was first noticed with nss_ldap. After enabling debugging, running
`getent group` produced error messages like:
TLS certificate verification: depth: 0, err: 130, subject: <snip DN/>
TLS certificate verification: Error, Unknown error
Similar problems occur for pam_ldap and apache mod_authnz_ldap.
Strangely, gnutls-cli verifies the server certificate with no problems.
The error was first seen in a STARTTLS only configuration. I have since
enabled ldaps to ease testing with gnutls-cli and confirmed it still
affects nss_ldap and apache switched to ldaps.
The root (trusted) certificate of our cert chain is an x509v1 cert, however I'd
expect gnutls-cli to complain if this were the issue.
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (x86_64)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-6-xen-amd64
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Versions of packages libgnutls13 depends on:
ii libc6 2.3.6.ds1-13etch8 GNU C Library: Shared libraries
ii libgcrypt11 1.2.3-2 LGPL Crypto library - runtime libr
ii libgpg-error0 1.4-1 library for common error values an
ii liblzo1 1.08-3 data compression library (old vers
ii libopencdk8 0.5.9-2 Open Crypto Development Kit (OpenC
ii libtasn1-3 0.3.6-2 Manage ASN.1 structures (runtime)
ii zlib1g 1:1.2.3-13 compression library - runtime
libgnutls13 recommends no packages.
-- no debconf information
More information about the Pkg-gnutls-maint
mailing list