Bug#509593: libgnutls26: ldap-utils fails with 'TLS: peer cert untrusted or revoked (0x82)' with latest gnutls26

Steve Langasek steve.langasek at canonical.com
Thu Jan 29 21:15:55 UTC 2009

On Thu, Jan 29, 2009 at 07:31:00PM +0100, Andreas Metzler wrote:
> I am not sure this is serious. Douglas' bug applies to X509 v1 CA certs, 
> which afaiui are rare.
> http://news.gmane.org/find-root.php?message_id=%3c20090110155632.10ba0626%40nmav%2deee%3e

> Gnutls is documented to not trust this type of certificates unless a
> special flag is set, afaict the bug is about the fact that gnutls
> distrusted them even if the flag was set. Even fixing this did not help
> Douglas, since it would have required changing nss-ldap to pass the
> flag.

Ok.  If you don't think it's serious, by all means re-downgrade it.  I would
think this should be fixed before lenny release, though, given that there
are still some commonly-recognized V1 CAs.

> Douglas later posted a feature enhancement patch that makes GnuTLS
> stop when an intermediate CA cert is found on the trusted CA
> list.
> http://news.gmane.org/find-root.php?message_id=%3c496BA38D.90104%40anl.gov%3e


Since at that point he's dealing with creating his own top-level CA, one
wonders why they don't issue a self-signed cert for their CA and truncate
the chain that way?

Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek at ubuntu.com                                     vorlon at debian.org

More information about the Pkg-gnutls-maint mailing list