Re: ldap not finding internal CA? - openldap-technical

18 Jun 2009

--- On Wed, 6/17/09, Howard Chu hyc@symas.com wrote:
...
From: Howard Chu hyc@symas.com
Subject: Re: ldap not finding internal CA?
To: "Kurt Yoder" ktyopenldap@yoderhome.com
Cc: openldap-technical@openldap.org
Date: Wednesday, June 17, 2009, 8:55 PM
Kurt Yoder wrote:
[... skip ...]
...
...
My openldap is version 2.4.15 on Ubuntu Jaunty.
[... skip ...]
...
The GnuTLS issues with X.509v1 certs were fixed in 2.4.16,
so you need to upgrade.
Sorry about any confusion but Jaunty doesn't actually have 2.4.15 but a custom version ("2.4.15-1ubuntu3") from Ubuntu:
https://launchpad.net/ubuntu/jaunty/amd64/slapd
The diff for ITS#5992 is in Jaunty
$ cat gnutls-enable-v1-ca-certs
## Mathias Gug <mathiaz-at-ubuntu.com>
## Enable V1 CA certs to be trusted.
## ITS: 5992 - http://www.openldap.org/its/index.cgi?findid=5992
## LP: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/305264
## Fixed in > 2.4.15
## Patch: http://bazaar.launchpad.net/%7Evcs-imports/openldap/main-src/diff/17238

--- openldap.orig/libraries/libldap/tls_g.c     2009-03-02 02:01:41 +0000
+++ openldap/libraries/libldap/tls_g.c  2009-03-05 03:35:49 +0000
@@ -1,5 +1,5 @@
/* tls_g.c - Handle tls/ssl using GNUTLS. */
-/* $OpenLDAP: pkg/ldap/libraries/libldap/tls_g.c,v 1.6.2.2 2009/02/10 16:41:01 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/tls_g.c,v 1.9 2009/03/05 03:35:49 hyc Exp $ */
/* This work is part of OpenLDAP Software http://www.openldap.org/.
  *
  * Copyright 2008-2009 The OpenLDAP Foundation.
@@ -349,6 +349,13 @@
                if ( rc < 0 ) return -1;
                rc = 0;
        }
+
+       /* FIXME: ITS#5992 - this should go be configurable,
+        * and V1 CA certs should be phased out ASAP.
+        */
+       gnutls_certificate_set_verify_flags( ctx->cred,
+               GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT );
+
        if ( is_server ) {
                gnutls_dh_params_init(&ctx->dh_params);
                gnutls_dh_params_generate2(ctx->dh_params, DH_BITS);
However: Jaunty does not appear to contain the diff for ITS#5991.
Both ITS#5991 and ITS#5992 are squashed into the same CVS delta for:
openldap-*/libraries/libldap/tls_g.c
diffs between version 1.6.2.3 and 1.6.2.4 of tls_g.c
http://www.openldap.org/devel/cvsweb.cgi/libraries/libldap/tls_g.c.diff?r1=1...
Mathias Gug writes in ITS#5991: << Thanks for the workaround. It works as expected. I haven't tested the patch applied to CVS and thus haven't included it in Ubuntu yet. >>
Link to ITS#5991 -
http://www.openldap.org/its/index.cgi/Software%20Bugs?id=5991;selectid=5991;...
On a related note, Jaunty vs. pre-Jaunty does this:
$ gnutls-cli -p 636 XXXX.XXX.XXX -d 4711 --x509cafile /etc/ldap/cacerts/my-ca.cert.pem --print-cert
On Jaunty the output contains:
- Peer's certificate is NOT trusted
On previous Ubuntu releases (Intrepid, Hardy):
- Peer's certificate is trusted
Same certificate, same command line arguments, same /etc/ldap/ldap.conf file.
Thanks,
Ken

    