Bug#509593: libgnutls26: ldap-utils fails with 'TLS: peer cert untrusted or revoked (0x82)' with latest gnutls26
Steve Langasek
steve.langasek at canonical.com
Thu Jan 29 21:15:55 UTC 2009
On Thu, Jan 29, 2009 at 07:31:00PM +0100, Andreas Metzler wrote:
> I am not sure this is serious. Douglas' bug applies to X509 v1 CA certs,
> which afaiui are rare.
> http://news.gmane.org/find-root.php?message_id=%3c20090110155632.10ba0626%40nmav%2deee%3e
> Gnutls is documented to not trust this type of certificates unless a
> special flag is set, afaict the bug is about the fact that gnutls
> distrusted them even if the flag was set. Even fixing this did not help
> Douglas, since it would have required changing nss-ldap to pass the
> flag.
Ok. If you don't think it's serious, by all means re-downgrade it. I would
think this should be fixed before lenny release, though, given that there
are still some commonly-recognized V1 CAs.
> Douglas later posted a feature enhancement patch that makes GnuTLS
> stop when an intermediate CA cert is found on the trusted CA
> list.
> http://news.gmane.org/find-root.php?message_id=%3c496BA38D.90104%40anl.gov%3e
Right.
Since at that point he's dealing with creating his own top-level CA, one
wonders why they don't issue a self-signed cert for their CA and truncate
the chain that way?
Cheers,
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slangasek at ubuntu.com vorlon at debian.org
More information about the Pkg-gnutls-maint
mailing list