Further discussion led to the observation that OpenLDAP's gnutls support is a port of the existing OpenSSL handling, and it's therefore reasonable for openldap itself to enable the V1 CA cert option in order to provide feature parity when building with GnuTLS vs. OpenSSL, even if this is not altogether desirable from a security POV. I'm therefore reopening the openldap tasks for those releases where openldap is linked against GnuTLS.
The upstream discussion also points to regressions in behavior that are side effects of the change, rather than deliberate security enhancements, which should therefore be fixed in the gnutls26 package still - so leaving those tasks open also.
Further discussion led to the observation that OpenLDAP's gnutls support is a port of the existing OpenSSL handling, and it's therefore reasonable for openldap itself to enable the V1 CA cert option in order to provide feature parity when building with GnuTLS vs. OpenSSL, even if this is not altogether desirable from a security POV. I'm therefore reopening the openldap tasks for those releases where openldap is linked against GnuTLS.
The upstream discussion also points to regressions in behavior that are side effects of the change, rather than deliberate security enhancements, which should therefore be fixed in the gnutls26 package still - so leaving those tasks open also.