Bug#616035: [libgnutls26] Breaks OpenLDAP with message: TLS: peer cert untrusted or revoked (0x402)
Vedran Furač
vedran.furac at gmail.com
Thu Mar 10 03:14:20 UTC 2011
On 09.03.2011 10:21, Nikos Mavrogiannopoulos wrote:
> 2011/3/8 Vedran Furač <vedran.furac at gmail.com>:
>
>>>> - subject `blahblah', issuer `blahblah', RSA key 1024 bits, signed
>>>> using RSA-SHA, activated `2006-07-22 12:59:58 UTC', expires `2009-07-21
>>>> 12:59:58 UTC', SHA-1 fingerprint `ec5248b3194be9fda5639b59458962bc9bee32cc'
>>> Looks like one of certs had expired?
>>
>> That could be the problem, but that would indicate a bug in the all
>> previous versions of gnutls.
>
> The expiration checking had to be explicitly done by the application using
> gnutls in the previous version. Implicit checking by gnutls was added in 2.8.x.
2.8? But it works for me in 2.8.6, something is changed in 2.10.x.
> I don't understand your point. Is the certificate expired or not?
Sure, it's expired, but gnutls fails to detect that and is blabbing about:
TLS: peer cert untrusted or revoked (0x402)
TLS: can't connect: (unknown error code).
or
GnuTLS error: Error in the certificate.
While it should:
# grep -Ri expire /tmp/gnutls26-2.10.5/src
/tmp/gnutls26-2.10.5/src/common.c: if (status & GNUTLS_CERT_EXPIRED)
/tmp/gnutls26-2.10.5/src/common.c: printf ("- Peer's certificate
chain uses expired certificate\n");
I had to make this work asap so I tried to generate new certificate. I
know I previously used openssl to generate self-signed certificate, but
unfortunately I forgot to document the procedure (as certs generated
using standard method do not work (another, imho, bug)). So I used
certtool following steps from:
http://wiki.debian.org/LDAP/OpenLDAPSetup
I had to remove TLSCACertificateFile and have updated TLS_REQCERT in
ldap.conf from "demand" to "allow". Wiki says to use TLS_REQCERT never,
but that's plain wrong as the client will not request or check any
server certificate with that setting.
Regards,
Vedran
--
http://vedranf.net | a8e7a7783ca0d460fee090cc584adc12
-------------- next part --------------
A non-text attachment was scrubbed...
Name: vedran_furac.vcf
Type: text/x-vcard
Size: 219 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnutls-maint/attachments/20110310/d9312ba9/attachment.vcf>
More information about the Pkg-gnutls-maint
mailing list