gnutls fails to use Verisign CA cert without a Basic Constraint

Bug #314915 reported by Doug Engert
Affects Status Importance Assigned to Milestone
gnutls13 (Ubuntu)

Bug Description

Using the Ubuntu version of libgnutls13_2.0.4-1ubuntu2.3 on Hardy 8.04.1
ldaps: has stopped working. This looks like it is related to
the December changes that are also in gnutls-2.6.3.

ldapsearch -d 1 -H ldaps://...

TLS: peer cert untrusted or revoked (0x82)
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

The OpenLDAP ldap server certificate issued by Verisign is signed by:


which is signed by:

Both of these are in /etc/ssl/certs as 7651b327.0 and f0a38a80.0

is a self signed version 1 cert issued in 1996, with no extensions.

In lib/x509/verify.c gnutls_x509_crt_get_ca_status is called
but returns GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE as there is no
Basic Constraint.

The attached patch (to gnutls13_2.0.4-1ubuntu2.3) checks for
this return and if it is a self signed cert, will treat it as a CA.
The patch looks like it can be applied to 2.6.3 as well.

Clients on Solaris 9 and 10, and OpenLDAP using OpenSSL on any
platform have no problems with this old cert.

Revision history for this message
Doug Engert (deengert) wrote :
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. This particular bug has already been reported and appears to be a duplicate of bug 305264, so it is being marked as such. Please look at the other bug report to see if there is any missing information that you can provide, or to see if there is a workaround for the bug. Additionally, any further discussion regarding the bug should occur in the other report. Feel free to continue to report any other bugs you may find.

Changed in gnutls13:
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.