gnutls fails to use Verisign CA cert without a Basic Constraint
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| gnutls13 (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Bug Description
Using the Ubuntu version of libgnutls13_
ldaps: has stopped working. This looks like it is related to
the December changes that are also in gnutls-2.6.3.
ldapsearch -d 1 -H ldaps://...
TLS: peer cert untrusted or revoked (0x82)
ldap_err2string
ldap_sasl_
The OpenLDAP ldap server certificate issued by Verisign is signed by:
Verisign_
which is signed by:
Verisign_
Both of these are in /etc/ssl/certs as 7651b327.0 and f0a38a80.0
Verisign_
is a self signed version 1 cert issued in 1996, with no extensions.
In lib/x509/verify.c gnutls_
but returns GNUTLS_
Basic Constraint.
The attached patch (to gnutls13_
this return and if it is a self signed cert, will treat it as a CA.
The patch looks like it can be applied to 2.6.3 as well.
Clients on Solaris 9 and 10, and OpenLDAP using OpenSSL on any
platform have no problems with this old cert.
| Doug Engert (deengert) wrote | #1 |
| Jamie Strandboge (jdstrand) wrote | #2 |
| Changed in gnutls13: | |
| status: | New → Invalid |
Thank you for taking the time to report this bug and helping to make Ubuntu better. This particular bug has already been reported and appears to be a duplicate of bug 305264, so it is being marked as such. Please look at the other bug report to see if there is any missing information that you can provide, or to see if there is a workaround for the bug. Additionally, any further discussion regarding the bug should occur in the other report. Feel free to continue to report any other bugs you may find.