[Pkg-openldap-devel] Bug#525605: Bug#525605: libldap-2.4-2: setting LDAP_OPT_X_TLS_REQUIRE_CERT is not handled correctly

Quanah Gibson-Mount quanah at zimbra.com
Sun Apr 26 21:31:20 UTC 2009 

--On Sunday, April 26, 2009 12:24 PM +0200 Arthur de Jong 
<adejong at debian.org> wrote:

> On Sat, 2009-04-25 at 15:47 -0700, Quanah Gibson-Mount wrote:
>> There have been numerous changes to how libldap uses TLS entirely
>> since 2.4.11, and several fixes specific to GnuTLS as well.  I would
>> advise you use the very latest from CVS HEAD rather than poking at
>> 2.4.11.  IIRC, there is one GnuTLS fix not currently in the RE24 code,
>> which is why I suggest using HEAD atm.  I'll be syncing up RE24 likely
>> in the next week or so.
>
> I can probably test with CVS HEAD at some point. I would like to point
> out though that this problem is in 2.4.15-1.1 and I just happend to have
> 2.4.11 source code lying around so I used grep on that a couple of
> times.
>
> I will probably test with 2.4.16 once it's out but I'm going to work
> around this bug anyway so I won't notice it in normal use any more (I'm
> going to set all options globally once anyway).

2.4.16 was released a few weeks ago.  And, it is also the current "stable" 
designated release from OpenLDAP.

>From the changelog:

OpenLDAP 2.4.16 Release (2009/04/05)
	Fixed libldap GnuTLS with x509v1 CA certs (ITS#5992)
	Fixed libldap GnuTLS with CA chains (ITS#5991)
	Fixed libldap GnuTLS TLSVerifyCilent try (ITS#5981)

HEAD also has:

Log Message:
ITS#6053 must use gnutls_x509_privkey_init()


> Btw, is there any reliable way to get more error conditions about what
> went wrong with SSL/TLS? I've been digging (in 2.4.11 again) and the
> only thing I could come up with setting the debug level, registering a
> handler to read the log messages and parse the output. I don't want to
> implement that but is there a better way?

Not that I'm aware of.  That might be a better question for one of the 
openldap lists.

--Quanah


--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration

More information about the Pkg-openldap-devel mailing list