Ubuntu
gnutls13 package

  1. Gutsy (7.10)
  2. Bug #305264
  3. Comment #26

Comment 26 for bug 305264

Revision history for this message
Jamie Strandboge (jdstrand) wrote : Re: [Bug 305264] Re: gnutls regression: failure in certificate chain validation

I have finally been able to reproduce this with ldapsearch.

After performing:
$ sudo apt-get install ca-certificates ldap-utils

I tried to do on unpatched hardy:
$ LDAPTLS_CACERT=/etc/ssl/certs/ca-certificates.crt ldapsearch -ZZ -H ldaps://<Ian's public ldap server>:636/ -d 1
...
ldap_open_defconn: successful
...

and then on patched hardy:
$ LDAPTLS_CACERT=/etc/ssl/certs/ca-certificates.crt ldapsearch -ZZ -H ldaps://<Ian's public ldap server>:636/ -d 1
...
TLS: peer cert untrusted or revoked (0x82)
ldap_err2string
ldap_start_tls: Can't contact LDAP server (-1)

All patched versions of gnutls on Hardy, Intrepid, Jaunty and Debian Sid
are affected (Dapper and Gutsy ldap-utils use openssl and are not
affected).

I cannot reproduce this with the gnutls tools. I have Ian's certificate
and the result of:
$ certtool -e --infile <Ian's certificate>

is the same for unpatched and patched versions of gnutls on hardy and
intrepid, and also jaunty.

I then did:
$ gnutls-cli -V --x509cafile /etc/ssl/certs/ca-certificates.crt -p 636 \
<Ian's public ldap server>

and it works fine on patched and unpatched versions of gnutls on hardy
and intrepid, and also on jaunty.