[Pkg-openldap-devel] Bug#498410: libldap-2.4-2: libldap ignores CRL in ldap.conf when linked against GnuTLS

B. Hof hof at stusta.net
Tue Sep 9 19:40:35 UTC 2008 

Package: libldap-2.4-2
Version: 2.4.10-3
Severity: normal
Tags: patch

The documentation tells to put a directive "TLS_CRLFILE" in the ldap.conf config
file to use a certificate revocation list on the client side when using libldap
linked against GnuTLS (as is the case in lenny, not in etch).

This line is ignored in libldap (since its introduction in 2.4),
"TLS_CRL" works instead.  You can thus use "TLS_CRL" as a workaround (or
both, "TLS_CRL" and "TLS_CRLFILE").

Currently everyone using libldap in the 2.4 series or anything linked against
libldap while having revoked server certificates is concerned.

This issue was fixed by upstream in HEAD and the release branch.  Please
note that upstream now only uses the TLS_CRLFILE directive.

This trivial patch fixes the issue and enables, as suggested by Florian
Weimer, the use of both directives.

-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.26.3 (PREEMPT)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages ldap-utils depends on:
ii  libc6                    2.7-13          GNU C Library: Shared libraries
ii  libgnutls26              2.4.1-1         the GNU TLS library - runtime libr
ii  libldap-2.4-2            2.4.10-3        OpenLDAP libraries
ii  libsasl2-2               2.1.22.dfsg1-21 Cyrus SASL - authentication abstra

Versions of packages ldap-utils recommends:
ii  libsasl2-modules         2.1.22.dfsg1-21 Cyrus SASL - pluggable authenticat

ldap-utils suggests no packages.

-- no debconf information

-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.26.3 (PREEMPT)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libldap-2.4-2 depends on:
ii  libc6                    2.7-13          GNU C Library: Shared libraries
ii  libgnutls26              2.4.1-1         the GNU TLS library - runtime libr
ii  libsasl2-2               2.1.22.dfsg1-23 Cyrus SASL - authentication abstra

libldap-2.4-2 recommends no packages.

libldap-2.4-2 suggests no packages.

-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: init.c.patch
Type: text/x-diff
Size: 460 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-openldap-devel/attachments/20080909/497fcdc9/attachment.patch

More information about the Pkg-openldap-devel mailing list