--- On Wed, 6/17/09, Howard Chu hyc@symas.com wrote:
From: Howard Chu hyc@symas.com Subject: Re: ldap not finding internal CA? To: "Kurt Yoder" ktyopenldap@yoderhome.com Cc: openldap-technical@openldap.org Date: Wednesday, June 17, 2009, 8:55 PM Kurt Yoder wrote:
[... skip ...]
My openldap is version 2.4.15 on Ubuntu Jaunty.
[... skip ...]
The GnuTLS issues with X.509v1 certs were fixed in 2.4.16, so you need to upgrade.
Sorry about any confusion but Jaunty doesn't actually have 2.4.15 but a custom version ("2.4.15-1ubuntu3") from Ubuntu:
https://launchpad.net/ubuntu/jaunty/amd64/slapd
The diff for ITS#5992 is in Jaunty
$ cat gnutls-enable-v1-ca-certs ## Mathias Gug <mathiaz-at-ubuntu.com> ## Enable V1 CA certs to be trusted. ## ITS: 5992 - http://www.openldap.org/its/index.cgi?findid=5992 ## LP: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/305264 ## Fixed in > 2.4.15 ## Patch: http://bazaar.launchpad.net/%7Evcs-imports/openldap/main-src/diff/17238
--- openldap.orig/libraries/libldap/tls_g.c 2009-03-02 02:01:41 +0000 +++ openldap/libraries/libldap/tls_g.c 2009-03-05 03:35:49 +0000 @@ -1,5 +1,5 @@ /* tls_g.c - Handle tls/ssl using GNUTLS. */ -/* $OpenLDAP: pkg/ldap/libraries/libldap/tls_g.c,v 1.6.2.2 2009/02/10 16:41:01 quanah Exp $ */ +/* $OpenLDAP: pkg/ldap/libraries/libldap/tls_g.c,v 1.9 2009/03/05 03:35:49 hyc Exp $ */ /* This work is part of OpenLDAP Software http://www.openldap.org/. * * Copyright 2008-2009 The OpenLDAP Foundation. @@ -349,6 +349,13 @@ if ( rc < 0 ) return -1; rc = 0; } + + /* FIXME: ITS#5992 - this should go be configurable, + * and V1 CA certs should be phased out ASAP. + */ + gnutls_certificate_set_verify_flags( ctx->cred, + GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT ); + if ( is_server ) { gnutls_dh_params_init(&ctx->dh_params); gnutls_dh_params_generate2(ctx->dh_params, DH_BITS);
However: Jaunty does not appear to contain the diff for ITS#5991.
Both ITS#5991 and ITS#5992 are squashed into the same CVS delta for: openldap-*/libraries/libldap/tls_g.c
diffs between version 1.6.2.3 and 1.6.2.4 of tls_g.c
http://www.openldap.org/devel/cvsweb.cgi/libraries/libldap/tls_g.c.diff?r1=1...
Mathias Gug writes in ITS#5991: << Thanks for the workaround. It works as expected. I haven't tested the patch applied to CVS and thus haven't included it in Ubuntu yet. >>
Link to ITS#5991 -
http://www.openldap.org/its/index.cgi/Software%20Bugs?id=5991;selectid=5991;...
On a related note, Jaunty vs. pre-Jaunty does this:
$ gnutls-cli -p 636 XXXX.XXX.XXX -d 4711 --x509cafile /etc/ldap/cacerts/my-ca.cert.pem --print-cert
On Jaunty the output contains: - Peer's certificate is NOT trusted
On previous Ubuntu releases (Intrepid, Hardy): - Peer's certificate is trusted
Same certificate, same command line arguments, same /etc/ldap/ldap.conf file.
Thanks, Ken
openldap-technical@openldap.org