[Pkg-openldap-devel] Bug#751002: libldap-2.4: No check of root certificate validity date
Ryan Tandy
ryan at nardis.ca
Wed Jun 11 01:34:41 UTC 2014
Hi Paul,
On 09/06/14 04:29 AM, Paul van der Vlis wrote:
> While upgrading from Debian 6 to Debian 7 LDAPS did not work anymore on the
> client. I found out the root-certificate was outdated for a long time and the
> validity date of a root certificate is not checked on a Debian 6 client. But it
> is checked on a Debian 7 client, and this can give unexpected problems while
> upgrading. And it is a risk for Debian 6 installations.
This is a behaviour change between squeeze and wheezy, yes, but in
libgnutls, not libldap; you can confirm it using gnutls-cli.
Are you suggesting the behaviour of gnutls in squeeze should be made
more strict like in wheezy? If so we should reassign this to gnutls.
> The error while upgrading is:
> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Without any context that is a bit vague, but it sounds like a result I
would expect in case of an expired certificate. Increasing libldap's
debug level, or testing with "ldapsearch -d 1", will show you more
details about the underlying cause of the failure.
If you need to disable the certificate verification to get your upgrade
finished, you can use the TLS_REQCERT ldap.conf(5) option, but that's a
rather big hammer as it disables several kinds of validation at once.
As the expiry check has already been fixed in wheezy and later, can you
be more explicit about the changes you think should be done in order to
resolve this report?
thanks,
Ryan
More information about the Pkg-openldap-devel
mailing list