Bug#683095: ldap client breaks after upgrade to wheezy
Daniel Pocock
daniel at pocock.com.au
Sat Jul 28 17:31:18 UTC 2012
Package: libgnutls26
Severity: important
Version: 2.12.20-1
I just upgraded a test server from squeeze to wheezy
The server had working LDAP authentication before the upgrade.
After the upgrade, LDAP authentication not working, no login possible.
Checking with ldapclient -d 3, I discovered this error:
TLS: peer cert untrusted or revoked (0x102)
TLS: can't connect: (unknown error code).
Adding `TLS_REQCERT allow' to /etc/ldap/ldap.conf makes a workaround and
ldapclient works
I suspect that GnuTLS is now more strict about something - however, this
is a very bad way to find out
Specifically, my server uses a 4096 bit RSA cert signed by CACert.org
The CACert.org class 3 root is 4096 with SHA256
The CACert.org class 1 root is 4096 md5WithRSAEncryption
My client machine has a copy of both roots locally, but I'm guessing it
is getting stuck on the MD5 issue
I tried setting TLS_CIPHER_SUITE but couldn't find any value that works
At the very least, gnutls should give more detail for those unable to
guess what might be broken. More importantly, it would be nice to have
it work because it has the class 3 (intermediate) root certificate
locally, in such situations, the md5 signature on the ultimate root is
not so important.
More information about the Pkg-gnutls-maint
mailing list