| 2008-12-04 19:54:52 |
Andreas Hasenack |
bug |
|
|
added bug |
| 2008-12-04 19:55:31 |
Andreas Hasenack |
bug |
|
|
assigned to landscape |
| 2008-12-04 19:55:47 |
Andreas Hasenack |
landscape: importance |
Undecided |
Critical |
|
| 2008-12-04 19:55:47 |
Andreas Hasenack |
landscape: statusexplanation |
|
|
|
| 2008-12-04 19:55:47 |
Andreas Hasenack |
landscape: milestone |
|
mountainview-pre-2 |
|
| 2008-12-04 19:55:51 |
Andreas Hasenack |
landscape: importance |
Critical |
High |
|
| 2008-12-04 19:58:56 |
Andreas Hasenack |
bug |
|
|
assigned to landscape-client |
| 2008-12-04 20:18:55 |
Kees Cook |
bug |
|
|
assigned to gnutls13 (Ubuntu) |
| 2008-12-04 20:19:10 |
Kees Cook |
bug |
|
|
assigned to gnutls26 (Ubuntu) |
| 2008-12-04 20:19:47 |
Kees Cook |
gnutls26: status |
New |
Triaged |
|
| 2008-12-04 20:19:47 |
Kees Cook |
gnutls26: assignee |
|
jdstrand |
|
| 2008-12-04 20:19:47 |
Kees Cook |
gnutls26: statusexplanation |
|
|
|
| 2008-12-04 20:20:08 |
Kees Cook |
gnutls26: importance |
Undecided |
High |
|
| 2008-12-04 20:20:28 |
Kees Cook |
gnutls13: status |
New |
Triaged |
|
| 2008-12-04 20:20:28 |
Kees Cook |
gnutls13: assignee |
|
jdstrand |
|
| 2008-12-04 20:20:28 |
Kees Cook |
gnutls13: importance |
Undecided |
High |
|
| 2008-12-04 20:20:28 |
Kees Cook |
gnutls13: statusexplanation |
|
|
|
| 2008-12-04 20:20:48 |
Kees Cook |
gnutls12: status |
New |
Triaged |
|
| 2008-12-04 20:20:48 |
Kees Cook |
gnutls12: assignee |
|
jdstrand |
|
| 2008-12-04 20:20:48 |
Kees Cook |
gnutls12: importance |
Undecided |
High |
|
| 2008-12-04 20:20:48 |
Kees Cook |
gnutls12: statusexplanation |
|
|
|
| 2008-12-04 20:37:04 |
Andreas Hasenack |
landscape-client: importance |
Undecided |
High |
|
| 2008-12-04 20:37:04 |
Andreas Hasenack |
landscape-client: statusexplanation |
|
|
|
| 2008-12-04 22:24:23 |
Jamie Strandboge |
gnutls12: status |
Triaged |
New |
|
| 2008-12-04 22:24:41 |
Jamie Strandboge |
gnutls13: status |
Triaged |
New |
|
| 2008-12-04 22:25:50 |
Jamie Strandboge |
gnutls26: status |
Triaged |
New |
|
| 2008-12-04 22:30:56 |
Jamie Strandboge |
gnutls12: assignee |
jdstrand |
|
|
| 2008-12-04 22:31:11 |
Jamie Strandboge |
gnutls13: assignee |
jdstrand |
|
|
| 2008-12-04 22:31:26 |
Jamie Strandboge |
gnutls26: assignee |
jdstrand |
|
|
| 2008-12-04 22:33:02 |
Jamie Strandboge |
gnutls12: status |
New |
Invalid |
|
| 2008-12-04 22:33:02 |
Jamie Strandboge |
gnutls12: statusexplanation |
|
|
|
| 2008-12-04 22:33:23 |
Jamie Strandboge |
gnutls12: status |
New |
Invalid |
|
| 2008-12-04 22:33:23 |
Jamie Strandboge |
gnutls12: statusexplanation |
|
|
|
| 2008-12-04 22:33:40 |
Jamie Strandboge |
gnutls12: status |
New |
Invalid |
|
| 2008-12-04 22:33:40 |
Jamie Strandboge |
gnutls12: statusexplanation |
|
|
|
| 2008-12-04 22:33:56 |
Jamie Strandboge |
gnutls12: status |
New |
Invalid |
|
| 2008-12-04 22:33:56 |
Jamie Strandboge |
gnutls12: statusexplanation |
|
|
|
| 2008-12-04 22:34:16 |
Jamie Strandboge |
gnutls13: status |
New |
Invalid |
|
| 2008-12-04 22:34:16 |
Jamie Strandboge |
gnutls13: statusexplanation |
|
|
|
| 2008-12-04 22:34:40 |
Jamie Strandboge |
gnutls13: status |
New |
Invalid |
|
| 2008-12-04 22:34:40 |
Jamie Strandboge |
gnutls13: statusexplanation |
|
|
|
| 2008-12-04 22:35:03 |
Jamie Strandboge |
gnutls13: status |
New |
Invalid |
|
| 2008-12-04 22:35:03 |
Jamie Strandboge |
gnutls13: statusexplanation |
|
|
|
| 2008-12-04 22:35:24 |
Jamie Strandboge |
gnutls26: status |
New |
Invalid |
|
| 2008-12-04 22:35:24 |
Jamie Strandboge |
gnutls26: statusexplanation |
|
|
|
| 2008-12-04 22:35:42 |
Jamie Strandboge |
gnutls26: status |
New |
Invalid |
|
| 2008-12-04 22:35:42 |
Jamie Strandboge |
gnutls26: statusexplanation |
|
|
|
| 2008-12-04 22:36:03 |
Jamie Strandboge |
gnutls26: status |
New |
Invalid |
|
| 2008-12-04 22:36:03 |
Jamie Strandboge |
gnutls26: statusexplanation |
|
|
|
| 2008-12-04 23:40:12 |
Jamie Strandboge |
bug |
|
|
assigned to gnutls26 (Debian) |
| 2008-12-05 00:58:40 |
Jamie Strandboge |
gnutls13: status |
New |
Confirmed |
|
| 2008-12-05 00:58:40 |
Jamie Strandboge |
gnutls13: assignee |
|
jdstrand |
|
| 2008-12-05 00:58:40 |
Jamie Strandboge |
gnutls13: statusexplanation |
|
|
|
| 2008-12-05 00:58:52 |
Jamie Strandboge |
gnutls13: status |
New |
Confirmed |
|
| 2008-12-05 00:58:52 |
Jamie Strandboge |
gnutls13: assignee |
|
jdstrand |
|
| 2008-12-05 00:58:52 |
Jamie Strandboge |
gnutls13: statusexplanation |
|
|
|
| 2008-12-05 00:59:12 |
Jamie Strandboge |
gnutls26: status |
New |
Confirmed |
|
| 2008-12-05 00:59:12 |
Jamie Strandboge |
gnutls26: assignee |
|
jdstrand |
|
| 2008-12-05 00:59:12 |
Jamie Strandboge |
gnutls26: statusexplanation |
|
|
|
| 2008-12-05 20:23:05 |
Jamie Strandboge |
gnutls12: status |
New |
In Progress |
|
| 2008-12-05 20:23:05 |
Jamie Strandboge |
gnutls12: assignee |
|
jdstrand |
|
| 2008-12-05 20:23:05 |
Jamie Strandboge |
gnutls12: statusexplanation |
|
|
|
| 2008-12-05 20:23:29 |
Jamie Strandboge |
gnutls13: status |
Confirmed |
In Progress |
|
| 2008-12-05 20:23:39 |
Jamie Strandboge |
gnutls13: status |
Confirmed |
In Progress |
|
| 2008-12-05 20:24:06 |
Jamie Strandboge |
gnutls26: status |
Confirmed |
In Progress |
|
| 2008-12-05 20:25:49 |
Jamie Strandboge |
gnutls26: status |
New |
In Progress |
|
| 2008-12-05 20:25:49 |
Jamie Strandboge |
gnutls26: assignee |
|
jdstrand |
|
| 2008-12-05 20:25:49 |
Jamie Strandboge |
gnutls26: statusexplanation |
|
|
|
| 2008-12-09 02:46:10 |
Jamie Strandboge |
gnutls26: status |
In Progress |
Fix Released |
|
| 2008-12-09 02:46:10 |
Jamie Strandboge |
gnutls26: statusexplanation |
|
This is fixed in 2.4.2-2 on Jaunty. |
|
| 2008-12-09 22:52:13 |
Launchpad Janitor |
gnutls13: status |
In Progress |
Fix Released |
|
| 2008-12-09 22:52:42 |
Launchpad Janitor |
gnutls13: status |
In Progress |
Fix Released |
|
| 2008-12-09 22:53:05 |
Launchpad Janitor |
gnutls26: status |
In Progress |
Fix Released |
|
| 2008-12-09 23:52:30 |
Andreas Hasenack |
landscape-client: status |
New |
Invalid |
|
| 2008-12-09 23:52:46 |
Andreas Hasenack |
landscape: status |
New |
Invalid |
|
| 2008-12-10 05:30:01 |
Jamie Strandboge |
gnutls12: status |
In Progress |
Fix Released |
|
| 2008-12-10 05:30:01 |
Jamie Strandboge |
gnutls12: statusexplanation |
|
http://www.ubuntu.com/usn/usn-678-2 |
|
| 2008-12-23 16:50:52 |
Jamie Strandboge |
bug |
|
|
assigned to openldap (Ubuntu) |
| 2008-12-23 16:51:17 |
Jamie Strandboge |
openldap: status |
New |
Invalid |
|
| 2008-12-23 16:51:17 |
Jamie Strandboge |
openldap: statusexplanation |
|
|
|
| 2008-12-23 16:51:42 |
Jamie Strandboge |
openldap: status |
New |
Invalid |
|
| 2008-12-23 16:51:42 |
Jamie Strandboge |
openldap: statusexplanation |
|
|
|
| 2008-12-23 16:53:15 |
Jamie Strandboge |
openldap: status |
New |
Confirmed |
|
| 2008-12-23 16:53:15 |
Jamie Strandboge |
openldap: statusexplanation |
|
|
|
| 2008-12-23 16:53:27 |
Jamie Strandboge |
openldap: status |
New |
Confirmed |
|
| 2008-12-23 16:53:27 |
Jamie Strandboge |
openldap: statusexplanation |
|
|
|
| 2008-12-23 17:24:26 |
Jamie Strandboge |
openldap: status |
New |
Confirmed |
|
| 2008-12-23 17:24:26 |
Jamie Strandboge |
openldap: statusexplanation |
|
|
|
| 2009-01-29 04:19:31 |
Steve Langasek |
gnutls26: statusexplanation |
|
|
|
| 2009-01-29 04:55:33 |
Steve Langasek |
gnutls26: status |
Fix Released |
Triaged |
|
| 2009-01-29 04:55:33 |
Steve Langasek |
gnutls26: statusexplanation |
This is fixed in 2.4.2-2 on Jaunty. |
|
|
| 2009-01-29 04:55:59 |
Steve Langasek |
gnutls26: status |
Fix Released |
Triaged |
|
| 2009-01-29 04:56:33 |
Steve Langasek |
gnutls13: status |
Fix Released |
Triaged |
|
| 2009-01-29 04:56:54 |
Steve Langasek |
gnutls13: status |
Fix Released |
Triaged |
|
| 2009-01-29 04:57:28 |
Steve Langasek |
gnutls12: status |
Fix Released |
Triaged |
|
| 2009-01-29 04:57:28 |
Steve Langasek |
gnutls12: statusexplanation |
http://www.ubuntu.com/usn/usn-678-2 |
|
|
| 2009-01-29 04:57:54 |
Steve Langasek |
openldap: status |
Confirmed |
Invalid |
|
| 2009-01-29 04:58:25 |
Steve Langasek |
openldap: status |
Confirmed |
Invalid |
|
| 2009-01-29 04:59:20 |
Steve Langasek |
openldap: status |
Confirmed |
Invalid |
|
| 2009-02-20 00:54:37 |
Steve Langasek |
openldap: status |
Invalid |
Triaged |
|
| 2009-02-20 00:54:37 |
Steve Langasek |
openldap: assignee |
|
mathiaz |
|
| 2009-02-20 00:54:37 |
Steve Langasek |
openldap: importance |
Undecided |
High |
|
| 2009-02-20 00:54:37 |
Steve Langasek |
openldap: statusexplanation |
|
Further discussion led to the observation that OpenLDAP's gnutls support is a port of the existing OpenSSL handling, and it's therefore reasonable for openldap itself to enable the V1 CA cert option in order to provide feature parity when building with GnuTLS vs. OpenSSL, even if this is not altogether desirable from a security POV. I'm therefore reopening the openldap tasks for those releases where openldap is linked against GnuTLS.
The upstream discussion also points to regressions in behavior that are side effects of the change, rather than deliberate security enhancements, which should therefore be fixed in the gnutls26 package still - so leaving those tasks open also. |
|
| 2009-02-20 00:55:16 |
Steve Langasek |
openldap: status |
Invalid |
Triaged |
|
| 2009-02-20 00:55:16 |
Steve Langasek |
openldap: importance |
Undecided |
High |
|
| 2009-02-20 00:56:52 |
Steve Langasek |
openldap: status |
Invalid |
Triaged |
|
| 2009-02-20 00:56:52 |
Steve Langasek |
openldap: importance |
Undecided |
High |
|
| 2009-02-20 19:57:12 |
Jamie Strandboge |
gnutls12: status |
Triaged |
In Progress |
|
| 2009-02-20 19:58:15 |
Jamie Strandboge |
gnutls13: status |
Triaged |
In Progress |
|
| 2009-02-20 19:58:21 |
Jamie Strandboge |
gnutls13: status |
Triaged |
In Progress |
|
| 2009-02-20 19:58:40 |
Jamie Strandboge |
gnutls26: status |
Triaged |
In Progress |
|
| 2009-02-20 19:58:58 |
Jamie Strandboge |
gnutls26: importance |
Undecided |
High |
|
| 2009-02-20 20:37:35 |
Jamie Strandboge |
gnutls26: status |
Triaged |
Fix Released |
|
| 2009-02-20 20:37:35 |
Jamie Strandboge |
gnutls26: statusexplanation |
|
Upstream released 2.4.3 to address both the vulnerability and the known regressions. Reviewing upstream's mailing list shows no regressions so far with this version. I've sync'd Jaunty with 2.4.2-6, which brings its patches in line with upstream 2.4.3, so I am marking Jaunty as 'Fix Released'.
I have backported the relevant patches to Dapper through Intrepid, and am testing them now. I will upload them shortly for testing. |
|
| 2009-02-20 21:25:39 |
Jamie Strandboge |
gnutls12: status |
In Progress |
Fix Committed |
|
| 2009-02-20 21:26:00 |
Jamie Strandboge |
gnutls13: status |
In Progress |
Fix Committed |
|
| 2009-02-20 21:26:03 |
Jamie Strandboge |
gnutls13: status |
In Progress |
Fix Committed |
|
| 2009-02-20 21:26:19 |
Jamie Strandboge |
gnutls26: status |
In Progress |
Fix Committed |
|
| 2009-02-21 12:47:16 |
Jamie Strandboge |
bug |
|
|
added subscriber SRU Verification |
| 2009-03-06 22:31:17 |
Mathias Gug |
openldap: status |
Triaged |
In Progress |
|
| 2009-03-06 22:31:17 |
Mathias Gug |
openldap: statusexplanation |
Further discussion led to the observation that OpenLDAP's gnutls support is a port of the existing OpenSSL handling, and it's therefore reasonable for openldap itself to enable the V1 CA cert option in order to provide feature parity when building with GnuTLS vs. OpenSSL, even if this is not altogether desirable from a security POV. I'm therefore reopening the openldap tasks for those releases where openldap is linked against GnuTLS.
The upstream discussion also points to regressions in behavior that are side effects of the change, rather than deliberate security enhancements, which should therefore be fixed in the gnutls26 package still - so leaving those tasks open also. |
|
|
| 2009-03-06 23:35:07 |
Launchpad Janitor |
openldap: status |
In Progress |
Fix Released |
|
| 2009-03-06 23:40:47 |
Mathias Gug |
bug |
|
|
added attachment 'gnutls-v1-cert-enabled.patch' (gnutls-v1-cert-enabled.patch) |
| 2009-03-25 15:22:17 |
Mathias Gug |
openldap: assignee |
|
mathiaz |
|
| 2009-03-25 15:22:46 |
Mathias Gug |
openldap: assignee |
|
mathiaz |
|
| 2009-03-25 22:59:48 |
Mathias Gug |
description |
I noticed recently that landscape-client could no longer contact our staging server. Fortunately, contacting the production server is still ok.
This command is an easy way to reproduce the problem. It is failing against staging.landscape.canonical.com:
gnutls-cli -V --x509cafile /etc/ssl/certs/ca-certificates.crt staging.landscape.canonical.com
I tried it in dapper, feisty, gutsy, hardy and intrepid. It only works in feisty, and I'm guessing it's because feisty is EOL'ed and didn't get an update.
I concentrated the rest of my tests in dapper.
With libgnutls12_1.2.9-2ubuntu1_i386.deb it works.
With libgnutls12_1.2.9-2ubuntu1.3_i386.deb it breaks.
Here is the chain as seen by gnutls against staging.landscape.canonical.com:
[0]
Subject's DN: O=*.landscape.canonical.com,OU=Domain Control Validated,CN=*.landscape.canonical.com
Issuer's DN: C=US,ST=Arizona,L=Scottsdale,O=GoDaddy.com\, Inc.,OU=http://certificates.godaddy.com/repository,CN=Go Daddy Secure Certification Authority,serialNumber=07969287
[1]
Subject's DN: C=US,ST=Arizona,L=Scottsdale,O=GoDaddy.com\, Inc.,OU=http://certificates.godaddy.com/repository,CN=Go Daddy Secure Certification Authority,serialNumber=07969287
Issuer's DN: C=US,O=The Go Daddy Group\, Inc.,OU=Go Daddy Class 2 Certification Authority
[2]
Subject's DN: C=US,O=The Go Daddy Group\, Inc.,OU=Go Daddy Class 2 Certification Authority
Issuer's DN: L=ValiCert Validation Network,O=ValiCert\, Inc.,OU=ValiCert Class 2 Policy Validation Authority,CN=http://www.valicert.com/,EMAIL=info@valicert.com
[3]
Subject's DN: L=ValiCert Validation Network,O=ValiCert\, Inc.,OU=ValiCert Class 2 Policy Validation Authority,CN=http://www.valicert.com/,EMAIL=info@valicert.com
Issuer's DN: L=ValiCert Validation Network,O=ValiCert\, Inc.,OU=ValiCert Class 2 Policy Validation Authority,CN=http://www.valicert.com/,EMAIL=info@valicert.com
Notice that the last certificate in the chain is the CA certificate, which is self signed. I wonder if the recent security fix broke that:
- debian/patches/91_CVE-2008-4989.diff: don't remove the last certificate
if it is self-signed in lib/x509/verify.c
Here is openssl's chain against the same site (staging):
Certificate chain
0 s:/O=*.landscape.canonical.com/OU=Domain Control Validated/CN=*.landscape.canonical.com
i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
2 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//emailAddress=info@valicert.com
3 s:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//emailAddress=info@valicert.com
i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//emailAddress=info@valicert.com
Openssl's s_client tool works, btw. |
I noticed recently that landscape-client could no longer contact our staging server. Fortunately, contacting the production server is still ok.
This command is an easy way to reproduce the problem. It is failing against staging.landscape.canonical.com:
gnutls-cli -V --x509cafile /etc/ssl/certs/ca-certificates.crt staging.landscape.canonical.com
I tried it in dapper, feisty, gutsy, hardy and intrepid. It only works in feisty, and I'm guessing it's because feisty is EOL'ed and didn't get an update.
I concentrated the rest of my tests in dapper.
With libgnutls12_1.2.9-2ubuntu1_i386.deb it works.
With libgnutls12_1.2.9-2ubuntu1.3_i386.deb it breaks.
Here is the chain as seen by gnutls against staging.landscape.canonical.com:
[0]
Subject's DN: O=*.landscape.canonical.com,OU=Domain Control Validated,CN=*.landscape.canonical.com
Issuer's DN: C=US,ST=Arizona,L=Scottsdale,O=GoDaddy.com\, Inc.,OU=http://certificates.godaddy.com/repository,CN=Go Daddy Secure Certification Authority,serialNumber=07969287
[1]
Subject's DN: C=US,ST=Arizona,L=Scottsdale,O=GoDaddy.com\, Inc.,OU=http://certificates.godaddy.com/repository,CN=Go Daddy Secure Certification Authority,serialNumber=07969287
Issuer's DN: C=US,O=The Go Daddy Group\, Inc.,OU=Go Daddy Class 2 Certification Authority
[2]
Subject's DN: C=US,O=The Go Daddy Group\, Inc.,OU=Go Daddy Class 2 Certification Authority
Issuer's DN: L=ValiCert Validation Network,O=ValiCert\, Inc.,OU=ValiCert Class 2 Policy Validation Authority,CN=http://www.valicert.com/,EMAIL=info@valicert.com
[3]
Subject's DN: L=ValiCert Validation Network,O=ValiCert\, Inc.,OU=ValiCert Class 2 Policy Validation Authority,CN=http://www.valicert.com/,EMAIL=info@valicert.com
Issuer's DN: L=ValiCert Validation Network,O=ValiCert\, Inc.,OU=ValiCert Class 2 Policy Validation Authority,CN=http://www.valicert.com/,EMAIL=info@valicert.com
Notice that the last certificate in the chain is the CA certificate, which is self signed. I wonder if the recent security fix broke that:
- debian/patches/91_CVE-2008-4989.diff: don't remove the last certificate
if it is self-signed in lib/x509/verify.c
Here is openssl's chain against the same site (staging):
Certificate chain
0 s:/O=*.landscape.canonical.com/OU=Domain Control Validated/CN=*.landscape.canonical.com
i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
2 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//emailAddress=info@valicert.com
3 s:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//emailAddress=info@valicert.com
i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//emailAddress=info@valicert.com
Openssl's s_client tool works, btw.
TESTCASE for openldap SRU:
1. Generate a V1 root CA. Can be done with an openssl configuration that does not use any x509 extensions. Make sure that the generated root CA is a V1 root CA.
2. Generate a client private key and a V1 certificate signed by the root CA above. Note that the CN of the certificate has to match the fqdn of the test system.
3. Install slapd and ldap-utils on a test system and configure slapd to use TLS:
a. Enable TLS in cn=config backend:
mathiaz@t-slapd-i:~$ cat enable-ca.ldif
dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/cacert.pem
dn: cn=config
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/newcert.pem
dn: cn=config
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/key.pem
mathiaz@t-slapd-i:~$ ldapmodify -D "cn=admin,cn=config" -x -w mypwd -f enable-ca.ldif
b. Copy the root CA certificate to /etc/ldap/cacert.pem, the host certificate to /etc/ldap/newcert.pem and the host private key to /etc/ldap/key.pem. Make them owned by the openldap user and group.
c. Append the root CA certificate (/etc/ldap/cacert.pem) to the host certificate file (/etc/ldap/newcert.pem).
d. Enable slaps in /etc/default/slapd.
e. Restart slapd.
4. Make sure that slapd is correctly configured to use TLS:
a. Downgrade libgnutls to the version in the release (not the one in -security, -update or -proposed).
b. Check that ldapsearch works correctly against the ldap server via ldaps:
ldapsearch -D "cn=admin, dc=vmnet" -b "dc=vmnet" -x -w mypwd -H ldaps://t-slapd-i./
The command above should return a dump of the ldap database and not a connection error.
5. Upgrade libgnutls to the latest version available. The command above should return a connection error:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
This is the regression.
6. Update slapd, ldap-utils and libldap-2.4-2. The command above should return a dump of the database and not a connection error. |
|
| 2009-03-25 23:04:08 |
Mathias Gug |
openldap: status |
Triaged |
Fix Committed |
|
| 2009-03-25 23:04:39 |
Mathias Gug |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2009-03-27 20:06:11 |
Mathias Gug |
openldap: status |
Triaged |
Fix Committed |
|
| 2009-05-07 13:36:39 |
Sergio Zanchetta |
gnutls13 (Ubuntu Gutsy): status |
Fix Committed |
Won't Fix |
|
| 2009-06-25 13:32:35 |
Mika Pflüger |
attachment added |
|
output of gnutls-cli -p636 --x509cafile CAFILE srv.obf.obf.ob http://launchpadlibrarian.net/28369414/gnutls-cli_-p636_--x509cafile_CAFILE_srv.obf.usc.at |
|
| 2009-06-25 13:33:20 |
Mika Pflüger |
attachment added |
|
our ldap.conf http://launchpadlibrarian.net/28369422/ldap.conf |
|
| 2009-06-25 13:35:17 |
Mika Pflüger |
attachment added |
|
output of ldapsearch -x -ZZ -d7 http://launchpadlibrarian.net/28369454/ldapsearch_-x_-ZZ_-d7 |
|
| 2009-06-27 03:23:10 |
Launchpad Janitor |
branch linked |
|
lp:~ubuntu-branches/ubuntu/intrepid/gnutls26/intrepid-security |
|
| 2009-06-27 03:23:11 |
Launchpad Janitor |
branch linked |
|
lp:~ubuntu-branches/ubuntu/intrepid/gnutls26/intrepid-proposed |
|
| 2009-06-27 05:45:18 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/karmic/openldap |
|
| 2009-06-27 05:50:20 |
Launchpad Janitor |
branch linked |
|
lp:~ubuntu-branches/ubuntu/intrepid/openldap/intrepid-proposed |
|
| 2009-07-08 15:37:29 |
Launchpad Janitor |
gnutls13 (Ubuntu Hardy): status |
Fix Committed |
Fix Released |
|
| 2009-07-08 17:50:21 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/gutsy-updates/gnutls13 |
|
| 2009-07-08 17:50:27 |
Launchpad Janitor |
branch linked |
|
lp:~ubuntu-branches/ubuntu/gutsy/gnutls13/gutsy-proposed |
|
| 2009-07-08 17:52:07 |
Launchpad Janitor |
branch linked |
|
lp:~ubuntu-branches/ubuntu/hardy/gnutls13/hardy-security |
|
| 2009-07-08 17:52:09 |
Launchpad Janitor |
branch linked |
|
lp:~ubuntu-branches/ubuntu/hardy/gnutls13/hardy-proposed |
|
| 2009-07-09 12:19:11 |
Launchpad Janitor |
branch linked |
|
lp:~ubuntu-branches/ubuntu/hardy/openldap2.3/hardy-proposed |
|
| 2009-07-09 15:51:09 |
Doug Engert |
attachment added |
|
f0a38a80.0 http://launchpadlibrarian.net/28850380/f0a38a80.0 |
|
| 2009-07-09 15:51:09 |
Doug Engert |
attachment added |
|
auth2.it.anl.gov.cert.pem http://launchpadlibrarian.net/28850381/auth2.it.anl.gov.cert.pem |
|
| 2009-07-09 15:51:09 |
Doug Engert |
attachment added |
|
7651b327.0 http://launchpadlibrarian.net/28850382/7651b327.0 |
|
| 2009-07-09 15:51:09 |
Doug Engert |
attachment added |
|
verify.trace.txt http://launchpadlibrarian.net/28850383/verify.trace.txt |
|
| 2009-07-09 15:51:09 |
Doug Engert |
attachment added |
|
verify.c http://launchpadlibrarian.net/28850384/verify.c |
|
| 2009-07-09 16:17:28 |
Andy Wettstein |
attachment added |
|
openssl.cnf http://launchpadlibrarian.net/28850996/openssl.cnf |
|
| 2009-08-08 06:29:30 |
Jamie Strandboge |
cve linked |
|
2009-2409 |
|
| 2009-08-13 17:38:38 |
Jamie Strandboge |
openldap (Ubuntu Hardy): status |
Fix Committed |
Fix Released |
|
| 2009-08-13 17:52:56 |
Jamie Strandboge |
gnutls12 (Ubuntu Dapper): status |
Fix Committed |
Fix Released |
|
| 2009-08-13 17:54:02 |
Jamie Strandboge |
tags |
verification-needed |
verification-done |
|
| 2009-08-13 17:54:50 |
Launchpad Janitor |
gnutls26 (Ubuntu Intrepid): status |
Fix Committed |
Fix Released |
|
| 2009-08-13 17:59:13 |
Launchpad Janitor |
openldap (Ubuntu Intrepid): status |
Fix Committed |
Fix Released |
|
| 2009-08-13 18:04:19 |
Howard Chu |
bug watch added |
|
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=541256 |
|
| 2009-08-13 18:32:18 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/dapper-security/gnutls12 |
|
| 2011-03-16 21:40:40 |
Joseph Salisbury |
bug |
|
|
added subscriber Joseph Salisbury |
| 2011-03-17 10:56:55 |
Tom Ellis |
bug |
|
|
added subscriber Tom Ellis |
| 2011-03-17 13:23:03 |
Mark Russell |
bug |
|
|
added subscriber Mark Russell |
| 2011-08-11 04:32:48 |
Bug Watch Updater |
gnutls26 (Debian): status |
Unknown |
Fix Released |
|
| 2022-06-13 18:23:01 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~sergiodj/ubuntu/+source/openldap/+git/openldap/+merge/424341 |
|
| 2022-06-13 19:08:48 |
Launchpad Janitor |
merge proposal unlinked |
https://code.launchpad.net/~sergiodj/ubuntu/+source/openldap/+git/openldap/+merge/424341 |
|
|
