Bug#643336: libgcrypt11: New 1.5.0 version segfaults with NSS/PAM LDAP

Marc Dequènes (Duck) duck at duckcorp.org
Tue Oct 4 11:02:04 UTC 2011 

Coin,

Quoting Andreas Metzler <ametzler at downhill.at.eu.org>:

> do you also get the segfault when connecting the ldap server with
> gnutls-cli?

I was not able to test it with starttls (as in my configuration), as  
it seems gnutls-cli waits indefinitely for the right moment to issue a  
STARTTLS. Nevertheless, using ldaps:// does reproduce the problem, so  
i tried using:
# gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt -p 636  
db-ldap-3.duckcorp.org
Processed 159 CA certificate(s).
Resolving 'db-ldap-3.duckcorp.org'...
Connecting to '2001:7a8:810:6969::1:636'...
- Certificate type: X.509
  - Got a certificate list of 2 certificates.
  - Certificate[0] info:
   - subject `C=DL,ST=DuckLand,L=DuckCity,O=DuckCorp,OU=DuckCorp LDAP  
Server,CN=db-ldap-3.duckcorp.org,EMAIL=admin at milkypond.org', issuer  
`C=DL,ST=DuckLand,L=DuckCity,O=DuckCorp,CN=DuckCorp  
CA,EMAIL=root at duckcorp.org', RSA key 2048 bits, signed using RSA-SHA1,  
activated `2009-07-11 21:08:28 UTC', expires `2012-07-10 21:08:28  
UTC', SHA-1 fingerprint `f2df9b66753df63c874321f64fd386c6417d00e9'
  - Certificate[1] info:
   - subject `C=DL,ST=DuckLand,L=DuckCity,O=DuckCorp,CN=DuckCorp  
CA,EMAIL=root at duckcorp.org', issuer  
`C=DL,ST=DuckLand,L=DuckCity,O=DuckCorp,CN=DuckCorp  
CA,EMAIL=root at duckcorp.org', RSA key 1024 bits, signed using RSA-MD5  
(broken!), activated `2004-12-02 19:08:23 UTC', expires `2014-11-30  
19:08:23 UTC', SHA-1 fingerprint  
`948c918a78963793fb89e78f68f9f97d4df8e915'
- The hostname in the certificate matches 'db-ldap-3.duckcorp.org'.
- Peer's certificate is trusted
- Version: TLS1.2
- Key Exchange: RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
- Handshake was completed

- Simple Client Mode:


> Do I understand correctly that your cpu supports the
> AES-NI instruction set? (grep -i aes /proc/cpuinfo)

flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov  
pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe nx rdtscp lm  
constant_tsc arch_perfmon pebs bts xtopology nonstop_tsc aperfmperf  
pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr  
pdcm sse4_1 sse4_2 x2apic popcnt *aes* xsave avx lahf_lm ida arat epb  
xsaveopt pln pts dts tpr_shadow vnmi flexpriority ept vpid


Regards.

-- 
Marc Dequènes (Duck)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: PGP Digital Signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnutls-maint/attachments/20111004/3385e31f/attachment.pgp>

More information about the Pkg-gnutls-maint mailing list