Bug#514807: libgnutls13: Security update causes "TLS certificate verification: Error, Unknown error"
simon at josefsson.org
Wed Feb 11 15:34:52 UTC 2009
tags 514807 wontfix
Edward Allcutt <emallcut at gleim.com> writes:
> Simon Josefsson wrote:
>> Edward Allcutt <emallcut at gleim.com> writes:
>>> Package: libgnutls13
>>> Version: 1.4.4-3+etch3
>>> Severity: important
>>> After the upgrade all embedded uses of LDAP fail with connection errors.
>>> On investigations these seem to be caused by certificate validation
>>> This was first noticed with nss_ldap. After enabling debugging, running
>>> `getent group` produced error messages like:
>>> TLS certificate verification: depth: 0, err: 130, subject: <snip DN/>
>>> TLS certificate verification: Error, Unknown error
>>> Similar problems occur for pam_ldap and apache mod_authnz_ldap.
>>> Strangely, gnutls-cli verifies the server certificate with no problems.
>>> The error was first seen in a STARTTLS only configuration. I have since
>>> enabled ldaps to ease testing with gnutls-cli and confirmed it still
>>> affects nss_ldap and apache switched to ldaps.
>>> The root (trusted) certificate of our cert chain is an x509v1 cert, however I'd
>>> expect gnutls-cli to complain if this were the issue.
>> Please post output from 'gnutls-cli -p 663 your.ldap.server -d 4711
>> --print-cert' replacing your.ldap.server as appropriate.
> Output of `gnutls-cli -p ldaps -d 4711 --print-cert
>>out 2>&1` attached.
>> I suspect the problem is that you have a RSA-MD5 signature somewhere in
>> the certificate chain.
> Nope, already checked that... gnutls-cli does work after all. It's the
> other modules linked to libgnutls that are failing.
I believe the problem is that you have a V1 CA, which isn't permitted by
default by libgnutls.
The reason gnutls-cli doesn't complain is because it contains this code:
/* there are some CAs that have a v1 certificate *%&@#*%&
I don't recommend doing the same in other applications, and we should
probably remove it from gnutls-cli too. It may be useful to create a
parameter in other tools to enable the flag on a per-case basis, though.
For explanation of why V1 CA's are bad, see:
I'm tagging this as wontfix since this is the documented and intended
behaviour. I am sorry you had to notice it through an upgrade --
however the reason for the upgrade was to close this hole.
More information about the Pkg-gnutls-maint