Bug#514807: libgnutls13: Security update causes "TLS certificate verification: Error, Unknown error"

Simon Josefsson simon at josefsson.org
Wed Feb 11 11:01:18 UTC 2009


Edward Allcutt <emallcut at gleim.com> writes:

> Package: libgnutls13
> Version: 1.4.4-3+etch3
> Severity: important
>
> After the upgrade all embedded uses of LDAP fail with connection errors.
> On investigations these seem to be caused by certificate validation
> problems.
>
> This was first noticed with nss_ldap. After enabling debugging, running
> `getent group` produced error messages like:
> TLS certificate verification: depth: 0, err: 130, subject: <snip DN/>
> TLS certificate verification: Error, Unknown error
>
> Similar problems occur for pam_ldap and apache mod_authnz_ldap.
> Strangely, gnutls-cli verifies the server certificate with no problems.
>
> The error was first seen in a STARTTLS only configuration. I have since
> enabled ldaps to ease testing with gnutls-cli and confirmed it still
> affects nss_ldap and apache switched to ldaps.
>
> The root (trusted) certificate of our cert chain is an x509v1 cert, however I'd
> expect gnutls-cli to complain if this were the issue.

Please post output from 'gnutls-cli -p 663 your.ldap.server -d 4711
--print-cert' replacing your.ldap.server as appropriate.

I suspect the problem is that you have a RSA-MD5 signature somewhere in
the certificate chain.

/Simon





More information about the Pkg-gnutls-maint mailing list