Bug#979995: There should be a sensible compile time default for the location of the file that contains trusted CA certificates

Andreas Metzler ametzler at bebt.de
Tue Jan 12 18:04:41 GMT 2021 

Control: retitle -1 cacertdir not implemented for gnutls
Control: reassign -1 libldap-2.4-2 2.4.56+dfsg-1

On 2021-01-12 Andras Korn <korn-debbugs at elan.rulez.org> wrote:
> Package: libgnutls30
> Version: 3.7.0-3
> Severity: wishlist

> Hi,

> I was just bitten by https://github.com/SSSD/sssd/issues/5444.

> Briefly:

>  * sssd relies on libldap to query LDAP servers.
>  * libldap can be linked against libssl (openssl) or gnutls for SSL/TLS support.
>  * libssl supports an ldap_tls_cacertdir option; you can point it to /etc/ssl/certs and it'll trust all CA certificates that are in this directory.
>  * gnutls doesn't have this cacertdir mechanism and needs `ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt` instead.
>  * my sssd.conf only had ldap_tls_cacertdir, not ldap_tls_cacert; thus, gnutls didn't know which CA certificates to trust and failed to validate my LDAP server certificates.
>  * The root cause of the problem only became visible after enabling LDAP library debugging in sssd.conf. 

> I think I shouldn't need to specify `ldap_tls_cacert =
> /etc/ssl/certs/ca-certificates.crt` when using a Debian package, since
> this is the default location of trusted CA certificates in Debian.
> Configuration should only be necessary for non-default setups.

Hello,
GnuTLS offers a sane compile default for the trust store (See
gnutls_x509_trust_list_add_system_trust()), which can be used by the
application. - I have therefore retitled the bug.

>From the upstream bug report:
2021-01-12 17:52:00.657730500 [be[ldap]] [sss_ldap_debug] (0x4000): libldap: TLS: warning: cacertdir not implemented for gnutls

GnuTLS has supported using a directory instead of a file since version
3.3.6 (released 2014-07-23), so it looks like a missing thing in libldap.

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

More information about the Pkg-gnutls-maint mailing list