Bug#616035: [libgnutls26] Breaks OpenLDAP with message: TLS: peer cert untrusted or revoked (0x402)
Vedran Furač
vedran.furac at gmail.com
Thu Mar 10 21:57:01 UTC 2011
On 10.03.2011 08:54, Nikos Mavrogiannopoulos wrote:
> On 03/10/2011 04:14 AM, Vedran Furač wrote:
>
>>>>>> - subject `blahblah', issuer `blahblah', RSA key 1024 bits, signed
>>>>>> using RSA-SHA, activated `2006-07-22 12:59:58 UTC', expires `2009-07-21
>>>>>> 12:59:58 UTC', SHA-1 fingerprint `ec5248b3194be9fda5639b59458962bc9bee32cc'
>>>>> Looks like one of certs had expired?
>>>>
>>>> That could be the problem, but that would indicate a bug in the all
>>>> previous versions of gnutls.
>>>
>>> The expiration checking had to be explicitly done by the application using
>>> gnutls in the previous version. Implicit checking by gnutls was added in 2.8.x.
>> 2.8? But it works for me in 2.8.6, something is changed in 2.10.x.
>
> The change in 2.10 was that the intermediate and CA certificates are
> being checked for expiration as well.
OK, that would explain it.
>>> I don't understand your point. Is the certificate expired or not?
>> Sure, it's expired, but gnutls fails to detect that and is blabbing about:
>>
>> TLS: peer cert untrusted or revoked (0x402)
>> TLS: can't connect: (unknown error code).
>> or
>> GnuTLS error: Error in the certificate.
>
> gnutls is a library it doesn't print anything. This is an application issue.
Fine then, the latter (GnuTLS error: Error in the certificate.) is the
output of gnutls-cli, bug is there then.
Anyway, you can close the report.
Regards,
Vedran
-------------- next part --------------
A non-text attachment was scrubbed...
Name: vedran_furac.vcf
Type: text/x-vcard
Size: 219 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnutls-maint/attachments/20110310/efbc0967/attachment.vcf>
More information about the Pkg-gnutls-maint
mailing list