[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ldap not finding internal CA?
- To: openldap-technical@openldap.org
- Subject: Re: ldap not finding internal CA?
- From: gruntler-ldap@yahoo.com
- Date: Thu, 18 Jun 2009 11:38:01 -0700 (PDT)
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1245350282; bh=cEfYAUNwu+Cj8VXucKpL9yIR7VElNYXD1iIDJXOH/CM=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type; b=qNKOypJBrtbfB4uuo1L8B0wqDiwAXv76AdzeRTvn6kN+RMFm2wgvuFlscnz/tEbdWKNeEhPXXG53Yx3Wer8ovqLwIudl3WBbvNYOJqLnQhAzdsu18AvViLUZqY5iZJ3lRpPJx1w0RFhmEsPHvXEo2mp+lJN+xaFUwnnKpQDtyb0=
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type; b=bHB4XcldsbcJogza9gkO5g6JdRQY+O7jOswqQExkz8RUk0d3tZ4asNAaYW20Y8hLGIU3EjvPS9I725gvjFOVc6G8/rPdQD0ZxxvpDYuE4JWCinZuYJgJrofoXHFqckNUkk2ybxqBRIU0+3rp/Ael9HTRCawJRTfj2lIk7pShaKs=;
--- On Wed, 6/17/09, Howard Chu <hyc@symas.com> wrote:
> From: Howard Chu <hyc@symas.com>
> Subject: Re: ldap not finding internal CA?
> To: "Kurt Yoder" <ktyopenldap@yoderhome.com>
> Cc: openldap-technical@openldap.org
> Date: Wednesday, June 17, 2009, 8:55 PM
> Kurt Yoder wrote:
[... skip ...]
> > My openldap is version 2.4.15 on Ubuntu Jaunty.
[... skip ...]
> The GnuTLS issues with X.509v1 certs were fixed in 2.4.16,
> so you need to upgrade.
Sorry about any confusion but Jaunty doesn't actually have 2.4.15 but a custom version ("2.4.15-1ubuntu3") from Ubuntu:
https://launchpad.net/ubuntu/jaunty/amd64/slapd
The diff for ITS#5992 is in Jaunty
$ cat gnutls-enable-v1-ca-certs
## Mathias Gug <mathiaz-at-ubuntu.com>
## Enable V1 CA certs to be trusted.
## ITS: 5992 - http://www.openldap.org/its/index.cgi?findid=5992
## LP: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/305264
## Fixed in > 2.4.15
## Patch: http://bazaar.launchpad.net/%7Evcs-imports/openldap/main-src/diff/17238
--- openldap.orig/libraries/libldap/tls_g.c 2009-03-02 02:01:41 +0000
+++ openldap/libraries/libldap/tls_g.c 2009-03-05 03:35:49 +0000
@@ -1,5 +1,5 @@
/* tls_g.c - Handle tls/ssl using GNUTLS. */
-/* $OpenLDAP: pkg/ldap/libraries/libldap/tls_g.c,v 1.6.2.2 2009/02/10 16:41:01 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/tls_g.c,v 1.9 2009/03/05 03:35:49 hyc Exp $ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 2008-2009 The OpenLDAP Foundation.
@@ -349,6 +349,13 @@
if ( rc < 0 ) return -1;
rc = 0;
}
+
+ /* FIXME: ITS#5992 - this should go be configurable,
+ * and V1 CA certs should be phased out ASAP.
+ */
+ gnutls_certificate_set_verify_flags( ctx->cred,
+ GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT );
+
if ( is_server ) {
gnutls_dh_params_init(&ctx->dh_params);
gnutls_dh_params_generate2(ctx->dh_params, DH_BITS);
However: Jaunty does not appear to contain the diff for ITS#5991.
Both ITS#5991 and ITS#5992 are squashed into the same CVS delta for:
openldap-*/libraries/libldap/tls_g.c
diffs between version 1.6.2.3 and 1.6.2.4 of tls_g.c
http://www.openldap.org/devel/cvsweb.cgi/libraries/libldap/tls_g.c.diff?r1=1.6.2.3&r2=1.6.2.4&hideattic=1&sortbydate=0&f=h
Mathias Gug writes in ITS#5991: << Thanks for the workaround. It works as expected. I haven't tested the patch applied to CVS and thus haven't included it in Ubuntu yet. >>
Link to ITS#5991 -
http://www.openldap.org/its/index.cgi/Software%20Bugs?id=5991;selectid=5991;usearchives=1;statetype=-1
On a related note, Jaunty vs. pre-Jaunty does this:
$ gnutls-cli -p 636 XXXX.XXX.XXX -d 4711 --x509cafile /etc/ldap/cacerts/my-ca.cert.pem --print-cert
On Jaunty the output contains:
- Peer's certificate is NOT trusted
On previous Ubuntu releases (Intrepid, Hardy):
- Peer's certificate is trusted
Same certificate, same command line arguments, same /etc/ldap/ldap.conf file.
Thanks,
Ken