Re: ldap not finding internal CA?

Thursday, 18 June 2009

--- On Wed, 6/17/09, Howard Chu <hyc(a)symas.com&gt; wrote:

...
 From: Howard Chu <hyc(a)symas.com&gt;
 Subject: Re: ldap not finding internal CA?
 To: "Kurt Yoder" <ktyopenldap(a)yoderhome.com&gt;
 Cc: openldap-technical(a)openldap.org
 Date: Wednesday, June 17, 2009, 8:55 PM
 Kurt Yoder wrote: 
[... skip ...]

...
 > My openldap is version 2.4.15 on Ubuntu Jaunty. 
[... skip ...]

...
 The GnuTLS issues with X.509v1 certs were fixed in 2.4.16,
 so you need to upgrade. 
Sorry about any confusion but Jaunty doesn't actually have 2.4.15 but a custom version
("2.4.15-1ubuntu3") from Ubuntu:

https://launchpad.net/ubuntu/jaunty/amd64/slapd

The diff for ITS#5992 is in Jaunty

$ cat gnutls-enable-v1-ca-certs
## Mathias Gug <mathiaz-at-ubuntu.com>
## Enable V1 CA certs to be trusted.
## ITS: 5992 - http://www.openldap.org/its/index.cgi?findid=5992
## LP: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/305264
## Fixed in > 2.4.15
## Patch: http://bazaar.launchpad.net/%7Evcs-imports/openldap/main-src/diff/17238

--- openldap.orig/libraries/libldap/tls_g.c     2009-03-02 02:01:41 +0000
+++ openldap/libraries/libldap/tls_g.c  2009-03-05 03:35:49 +0000
@@ -1,5 +1,5 @@
/* tls_g.c - Handle tls/ssl using GNUTLS. */
-/* $OpenLDAP: pkg/ldap/libraries/libldap/tls_g.c,v 1.6.2.2 2009/02/10 16:41:01 quanah Exp
$ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/tls_g.c,v 1.9 2009/03/05 03:35:49 hyc Exp $ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>;.
  *
  * Copyright 2008-2009 The OpenLDAP Foundation.
@@ -349,6 +349,13 @@
                if ( rc < 0 ) return -1;
                rc = 0;
        }
+
+       /* FIXME: ITS#5992 - this should go be configurable,
+        * and V1 CA certs should be phased out ASAP.
+        */
+       gnutls_certificate_set_verify_flags( ctx->cred,
+               GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT );
+
        if ( is_server ) {
                gnutls_dh_params_init(&ctx->dh_params);
                gnutls_dh_params_generate2(ctx->dh_params, DH_BITS);

However: Jaunty does not appear to contain the diff for ITS#5991.

Both ITS#5991 and ITS#5992 are squashed into the same CVS delta for:
openldap-*/libraries/libldap/tls_g.c

diffs between version 1.6.2.3 and 1.6.2.4 of tls_g.c

http://www.openldap.org/devel/cvsweb.cgi/libraries/libldap/tls_g.c.diff?r...

Mathias Gug writes in ITS#5991: << Thanks for the workaround. It works as expected.
I haven't tested the patch applied to CVS and thus haven't included it in Ubuntu
yet. >>

Link to ITS#5991 -

http://www.openldap.org/its/index.cgi/Software%20Bugs?id=5991;selectid=59...

On a related note, Jaunty vs. pre-Jaunty does this:

$ gnutls-cli -p 636 XXXX.XXX.XXX -d 4711 --x509cafile /etc/ldap/cacerts/my-ca.cert.pem
--print-cert

On Jaunty the output contains:
- Peer's certificate is NOT trusted

On previous Ubuntu releases (Intrepid, Hardy):
- Peer's certificate is trusted

Same certificate, same command line arguments, same /etc/ldap/ldap.conf file.

Thanks,
Ken

    

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007