Bug#509593: libgnutls26: ldap-utils fails with 'TLS: peer cert untrusted or revoked (0x82)' with latest gnutls26

Andreas Metzler ametzler at downhill.at.eu.org
Thu Jan 29 18:31:00 UTC 2009

On 2009-01-29 Steve Langasek <steve.langasek at canonical.com> wrote:
> Hi Andreas,

> > is this the issue that is also being discussed in
> > http://news.gmane.org/find-root.php?message_id=%3c49654581.3020505%40anl.gov%3e
> > or is it the original submitter a different one than Douglas E.
> > Engert?

> That looks to be the same issue, though Douglas is not who submitted the bug
> to Ubuntu (and I don't see any record of his bug ever having made it to
> Ubuntu).  Thanks for the pointer to this!  Do you think you'll be applying
> this patch to the Debian package soon?  Looks release-critical to me, given
> that it breaks validation of valid (and well-known) CAs.


I am not sure this is serious. Douglas' bug applies to X509 v1 CA certs, 
which afaiui are rare.

Gnutls is documented to not trust this type of certificates unless a
special flag is set, afaict the bug is about the fact that gnutls
distrusted them even if the flag was set. Even fixing this did not help
Douglas, since it would have required changing nss-ldap to pass the

Douglas later posted a feature enhancement patch that makes GnuTLS
stop when an intermediate CA cert is found on the trusted CA

The patch has not yet been reviewed positively - I think upstream first
needs to see the copyright assignment done.

cu and- Just found that you posted essentially the same summary to
https://bugs.launchpad.net/ubuntu/+source/gnutls12/+bug/305264  -reas

`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

More information about the Pkg-gnutls-maint mailing list