Bug#683095: ldap client breaks after upgrade to wheezy

Daniel Pocock daniel at pocock.com.au
Sat Jul 28 17:31:18 UTC 2012

Package: libgnutls26
Severity: important
Version: 2.12.20-1

I just upgraded a test server from squeeze to wheezy

The server had working LDAP authentication before the upgrade.

After the upgrade, LDAP authentication not working, no login possible.

Checking with ldapclient -d 3, I discovered this error:

TLS: peer cert untrusted or revoked (0x102)
TLS: can't connect: (unknown error code).

Adding `TLS_REQCERT allow' to /etc/ldap/ldap.conf makes a workaround and
ldapclient works

I suspect that GnuTLS is now more strict about something - however, this
is a very bad way to find out

Specifically, my server uses a 4096 bit RSA cert signed by CACert.org

The CACert.org class 3 root is 4096 with SHA256

The CACert.org class 1 root is 4096 md5WithRSAEncryption

My client machine has a copy of both roots locally, but I'm guessing it
is getting stuck on the MD5 issue

I tried setting TLS_CIPHER_SUITE but couldn't find any value that works

At the very least, gnutls should give more detail for those unable to
guess what might be broken.  More importantly, it would be nice to have
it work because it has the class 3 (intermediate) root certificate
locally, in such situations, the md5 signature on the ultimate root is
not so important.

More information about the Pkg-gnutls-maint mailing list