Bug#514578: LDAP STARTTLS is broken
Brian May
brian at microcomaustralia.com.au
Wed Feb 11 23:25:04 UTC 2009
Simon Josefsson wrote:
> Can you provide more details what "works" and "not work" actually means
> for you? Output from gnutls-cli with -d 4711 and --print-cert helps.
> The original failure in this bug report is the intended and documented
> behaviour, so if you really are seeing the same problem, the problem is
> with your cert chains.
>
Unfortunately no. The configuration that didn't work, now works, and I
don't know what I did to change do that. I will list the steps though:
1. upgrade client from etch to lenny
2. note ldap is broken because certificate is not trusted
3. hours of debugging, including adding both root and intermediate
class 3 certificate to trusted chain
4. upgrade libgnutls26 from 2.4.2-5 to 2.4.2-6
5. It works!
6. Upgrade openldap server to Lenny.
7. Upgrade another client to lenny. It is using libgnutls26 2.4.2-5.
8. It works!
9. Downgrade libgnutls26 on first client to 2.4.2-5
10. It still works!
Something must have changed, but I don't know what.
Maybe step 6 might be significant? I can't see any evidence to proof
this - it seems unlikely. I might be wrong...
I will let you know if I encounter the problem again.
Just in case I also downgraded libgnutls26 to 2.4.2-4, and it still works.
--
Brian May <brian at microcomaustralia.com.au>
More information about the Pkg-gnutls-maint
mailing list