Bug#514578: LDAP STARTTLS is broken
simon at josefsson.org
Thu Feb 12 09:26:47 UTC 2009
Brian May <brian at microcomaustralia.com.au> writes:
> Simon Josefsson wrote:
>> Can you provide more details what "works" and "not work" actually means
>> for you? Output from gnutls-cli with -d 4711 and --print-cert helps.
>> The original failure in this bug report is the intended and documented
>> behaviour, so if you really are seeing the same problem, the problem is
>> with your cert chains.
> Unfortunately no. The configuration that didn't work, now works, and I
> don't know what I did to change do that. I will list the steps though:
> 1. upgrade client from etch to lenny
> 2. note ldap is broken because certificate is not trusted
> 3. hours of debugging, including adding both root and intermediate
> class 3 certificate to trusted chain
> 4. upgrade libgnutls26 from 2.4.2-5 to 2.4.2-6
> 5. It works!
> 6. Upgrade openldap server to Lenny.
> 7. Upgrade another client to lenny. It is using libgnutls26 2.4.2-5.
> 8. It works!
> 9. Downgrade libgnutls26 on first client to 2.4.2-5
> 10. It still works!
> Something must have changed, but I don't know what.
Do you recall which version you upgraded to in step 1? Maybe it was an
older version, which didn't have the fixes.
> Maybe step 6 might be significant? I can't see any evidence to proof
> this - it seems unlikely. I might be wrong...
Not impossible, maybe you could try downgrade openldap and see if you
can reproduce it?
> I will let you know if I encounter the problem again.
> Just in case I also downgraded libgnutls26 to 2.4.2-4, and it still works.
More information about the Pkg-gnutls-maint