Full_Name: Mathias Gug Version: 2.4.15 OS: Ubuntu Linux (Jaunty - 9.04) URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (64.56.226.136)
Starting with GnuTLS 2.6.3, V1 CA certs are no longer trusted by default when a CA chain is checked. Thus libldap+gnutls breaks in existing environement when one of the CA certs uses a V1 certificate. However libldap+openssl still supports V1 certificates in the CA chain.
See https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/305264 for more information.
Could libldap+gnutls be updated to also support V1 CA certificates to match features provided by libldap+openssl?
To reproduce:
0. Need two versions of openldap : one compiled with gnutls, the other with openssl.
1. Create a V1 CA. 2. Create a certificate to be used by slapd and sign it with the V1 CA. 3. Configure a slapd+openssl system with certificates issues above. 4. Try to connect to the slapd+openssl system with a libldap+gnutls client:
mathiaz@t-slapd-gnutls:~$ ldapsearch -b "dc=vmnet" -D "cn=admin,dc=vmnet" -x -w mypwd -H ldaps://t-slapd-openssl./ -d 1 ldap_url_parse_ext(ldaps://t-slapd-openssl./) ldap_create ldap_url_parse_ext(ldaps://t-slapd-openssl.:636/??base) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP t-slapd-openssl.:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 172.19.42.220:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 TLS: peer cert untrusted or revoked (0x82) TLS: can't connect: (unknown error code). ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
On a system with libldap+openssl:
mathiaz@t-slapd-openssl:~$ ldapsearch -b "dc=vmnet" -D "cn=admin,dc=vmnet" -x -w mypwd -H ldaps://t-slapd-openssl./ # extended LDIF # # LDAPv3 # base <dc=vmnet> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# vmnet dn: dc=vmnet objectClass: top objectClass: dcObject objectClass: organization o: vmnet dc: vmnet
# admin, vmnet dn: cn=admin,dc=vmnet objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator userPassword:: e2NyeXB0fWtlVHlnV1lleFBDWFU=
# search result search: 2 result: 0 Success
# numResponses: 3 # numEntries: 2
$
ldapsearch is able to connect to the slapd+openssl server.