Bug#509593: libgnutls26: ldap-utils fails with 'TLS: peer cert untrusted or revoked (0x82)' with latest gnutls26
ametzler at downhill.at.eu.org
Thu Jan 29 18:31:00 UTC 2009
On 2009-01-29 Steve Langasek <steve.langasek at canonical.com> wrote:
> Hi Andreas,
> > is this the issue that is also being discussed in
> > http://news.gmane.org/find-root.php?message_id=%3c49654581.3020505%40anl.gov%3e
> > or is it the original submitter a different one than Douglas E.
> > Engert?
> That looks to be the same issue, though Douglas is not who submitted the bug
> to Ubuntu (and I don't see any record of his bug ever having made it to
> Ubuntu). Thanks for the pointer to this! Do you think you'll be applying
> this patch to the Debian package soon? Looks release-critical to me, given
> that it breaks validation of valid (and well-known) CAs.
I am not sure this is serious. Douglas' bug applies to X509 v1 CA certs,
which afaiui are rare.
Gnutls is documented to not trust this type of certificates unless a
special flag is set, afaict the bug is about the fact that gnutls
distrusted them even if the flag was set. Even fixing this did not help
Douglas, since it would have required changing nss-ldap to pass the
Douglas later posted a feature enhancement patch that makes GnuTLS
stop when an intermediate CA cert is found on the trusted CA
The patch has not yet been reviewed positively - I think upstream first
needs to see the copyright assignment done.
cu and- Just found that you posted essentially the same summary to
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
More information about the Pkg-gnutls-maint