Bug#616035: [libgnutls26] Breaks OpenLDAP with message: TLS: peer cert untrusted or revoked (0x402)
Vedran Furač
vedran.furac at gmail.com
Wed Mar 2 23:28:40 UTC 2011
On 02.03.2011 19:15, Andreas Metzler wrote:
>> After the upgrade to version 2.10.4 pam authentication against OpenLDAP
>> fails with the following error message:
>
>> TLS: peer cert untrusted or revoked (0x402)
>> TLS: can't connect: (unknown error code).
>
>> Had to downgrade to 2.8.6 to be able to log in again.
> [...]
>
> Couuld you please show
> gnutls-cli --x509cafile wherever-TLS_CACERT-pointsto -p 636 ldap-server-hostname
>
> for both 2.8.6 and 2.10.4?
2.8:
% gnutls-cli --x509cafile cacert.pem -p 636 canopus
Processed 1 CA certificate(s).
Resolving 'canopus'...
Connecting to '192.168.0.1:636'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
- subject `C=blahblah',issuer `blahblah', RSA key 2048 bits, signed
using RSA-SHA, activated `2006-07-26 17:16:08 UTC', expires `2012-07-24
17:16:08 UTC', SHA-1 fingerprint `745024f9629444bd04bbd570e05a0b0d2e3fd662'
- Certificate[1] info:
- subject `blahblah', issuer `blahblah', RSA key 1024 bits, signed
using RSA-SHA, activated `2006-07-22 12:59:58 UTC', expires `2009-07-21
12:59:58 UTC', SHA-1 fingerprint `ec5248b3194be9fda5639b59458962bc9bee32cc'
- The hostname in the certificate matches 'canopus'.
- Peer's certificate is trusted
- Version: TLS1.1
- Key Exchange: RSA
- Cipher: AES-256-CBC
- MAC: SHA1
- Compression: NULL
- Handshake was completed
- Simple Client Mode:
^C
2.10:
# gnutls-cli --x509cafile cacert.pem -p 636 canopus
Processed 1 CA certificate(s).
Resolving 'canopus'...
Connecting to '192.168.0.1:636'...
*** Verifying server certificate failed...
*** Fatal error: Error in the certificate.
*** Handshake has failed
GnuTLS error: Error in the certificate
Regards,
Vedran
--
http://vedranf.net | a8e7a7783ca0d460fee090cc584adc12
-------------- next part --------------
A non-text attachment was scrubbed...
Name: vedran_furac.vcf
Type: text/x-vcard
Size: 219 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnutls-maint/attachments/20110303/9c3338a2/attachment-0001.vcf>
More information about the Pkg-gnutls-maint
mailing list