Bug#514578: LDAP STARTTLS is broken

Simon Josefsson simon at josefsson.org
Sun Feb 15 15:37:52 UTC 2009

Witold Baryluk <baryluk at smp.if.uj.edu.pl> writes:

> On 02-13 16:01, Simon Josefsson wrote:
>  > Can provide any logs if needed.
>> Please do (gnutls-cli --print-cert -d 4711 against your server).  A
>> trusted root CA certificate signed with RSA-MD5 should not cause any
>> problems.  Only intermediate non-trusted certificates signed with
>> RSA-MD5 should be rejected.
> Strange because in my configuration, certificate of LDAP server
> is directly signed by my root CA certificate.
> http://smp.if.uj.edu.pl/~baryluk/ldaptlsdebug.txt

Your end-entity certificate is signed using RSA-MD5, so the reject is as
expected.  A better description of the rejects might be "RSA-MD5
signatures in untrusted certificates".


More information about the Pkg-gnutls-maint mailing list