Bug#514807: libgnutls13: Security update causes "TLS certificate verification: Error, Unknown error"

Edward Allcutt emallcut at gleim.com
Wed Feb 11 15:14:29 UTC 2009

Simon Josefsson wrote:
> Edward Allcutt <emallcut at gleim.com> writes:
>> Package: libgnutls13
>> Version: 1.4.4-3+etch3
>> Severity: important
>> After the upgrade all embedded uses of LDAP fail with connection errors.
>> On investigations these seem to be caused by certificate validation
>> problems.
>> This was first noticed with nss_ldap. After enabling debugging, running
>> `getent group` produced error messages like:
>> TLS certificate verification: depth: 0, err: 130, subject: <snip DN/>
>> TLS certificate verification: Error, Unknown error
>> Similar problems occur for pam_ldap and apache mod_authnz_ldap.
>> Strangely, gnutls-cli verifies the server certificate with no problems.
>> The error was first seen in a STARTTLS only configuration. I have since
>> enabled ldaps to ease testing with gnutls-cli and confirmed it still
>> affects nss_ldap and apache switched to ldaps.
>> The root (trusted) certificate of our cert chain is an x509v1 cert, however I'd
>> expect gnutls-cli to complain if this were the issue.
> Please post output from 'gnutls-cli -p 663 your.ldap.server -d 4711
> --print-cert' replacing your.ldap.server as appropriate.
Output of `gnutls-cli -p ldaps -d 4711 --print-cert ldap-3.teamgleim.com 
 >out 2>&1` attached.

> I suspect the problem is that you have a RSA-MD5 signature somewhere in
> the certificate chain.
Nope, already checked that... gnutls-cli does work after all. It's the 
other modules linked to libgnutls that are failing.

Edward Allcutt
Network Operations
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: out
Url: http://lists.alioth.debian.org/pipermail/pkg-gnutls-maint/attachments/20090211/f0013fed/attachment-0001.txt 

More information about the Pkg-gnutls-maint mailing list