Bug#683095: wheezy pam_ldap broken with squeeze slapd using CAcert.org

Gerald Turner gturner at unzane.com
Fri Apr 19 00:46:29 UTC 2013 

Subject: Re: ldap client breaks after upgrade to wheezy
Followup-For: Bug #683095
Package: libgnutls26
Version: 2.12.20-6


I just spent the last couple hours struggling with the same problem.

Upgraded a pam_ldap client machine from squeeze to wheezy, openldap
server is still running squeeze.  Server certificate was issued by
CAcert.org.

With debug turned up on an ‘ldapsearch’, all I get is the following:

  TLS: peer cert untrusted or revoked (0x102)
  TLS: can't connect: (unknown error code).

That led me to bug #478883.  Tests using the following command:

  gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt \
    -d 4711 -V -p 636 ldap.example.com

…works fine on squeeze (2.8), but fails on wheezy (2.12):

 …|<3>| HSK[0x251f710]: CERTIFICATE was received [4753 bytes]
  |<6>| BUF[REC][HD]: Read 4749 bytes of Data(22)
  |<6>| BUF[HSK]: Peeked 214 bytes of Data
  |<6>| BUF[HSK]: Emptied buffer
  |<6>| BUF[HSK]: Inserted 4 bytes of Data
  |<6>| BUF[HSK]: Inserted 4749 bytes of Data
  |<2>| ASSERT: ext_signature.c:393
  |<2>| ASSERT: ext_signature.c:393
  |<2>| ASSERT: ext_signature.c:393
  |<2>| ASSERT: mpi.c:609
  |<2>| ASSERT: dn.c:1209
  |<2>| ASSERT: verify.c:584
  |<2>| ASSERT: gnutls_kx.c:705
  |<2>| ASSERT: gnutls_handshake.c:2777
  |<6>| BUF[HSK]: Cleared Data from buffer
  *** Fatal error: Error in the certificate.
  |<4>| REC: Sending Alert[2|42] - Certificate is bad
  |<4>| REC[0x251f710]: Sending Packet[1] Alert(21) with length: 2
  |<7>| WRITE: enqueued 7 bytes for 0x4. Total 7 bytes.
  |<7>| WRITE FLUSH: 7 bytes in buffer.
  |<7>| WRITE: wrote 7 bytes, 0 bytes left.
  |<4>| REC[0x251f710]: Sent Packet[2] Alert(21) with length: 7
  *** Handshake has failed
  GnuTLS error: Error in the certificate.
  |<6>| BUF[HSK]: Cleared Data from buffer
  |<4>| REC[0x251f710]: Epoch #0 freed
  |<4>| REC[0x251f710]: Epoch #1 freed
  Processed 6 CA certificate(s).
  Resolving 'ldap.example.com'...
  Connecting to '2001:dead:beef:::636'...
  *** Verifying server certificate failed...

I hadn't realized that CAcert had reissued their intermediate to change
fingerprint algorithm.

Thanks Daniel!

Manually replacing /usr/share/ca-certificates/cacert.org/cacert.org.crt
on the squeeze server with the wheezy version solved the LDAP failures.
Feels really dirty overwriting a file in /usr.  Perhaps the
ca-certificates package in squeeze could use some maintenance
(squeeze-backports?) so that other users avoid this problem on wheezy
upgrade.  Or maybe a NEWS.Debian entry in libgnutls26 hinting at the
breakage of the new gnutls validation code vs. older CAcert certificates
on remote squeeze servers?


-- System Information:
Debian Release: 7.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libgnutls26 depends on:
ii  libc6              2.13-38
ii  libgcrypt11        1.5.0-5
ii  libp11-kit0        0.12-3
ii  libtasn1-3         2.13-2
ii  multiarch-support  2.13-38
ii  zlib1g             1:1.2.7.dfsg-13

libgnutls26 recommends no packages.

libgnutls26 suggests no packages.

-- no debconf information

-- 
Gerald Turner   Email: gturner at unzane.com   JID: gturner at unzane.com
GPG: 0xFA8CD6D5  21D9 B2E8 7FE7 F19E 5F7D  4D0C 3FA0 810F FA8C D6D5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnutls-maint/attachments/20130418/6f6f9622/attachment-0001.pgp>

More information about the Pkg-gnutls-maint mailing list