[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Accursed LDAP+SSL Breakage When Using libgcrypt
- To: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
- Subject: Accursed LDAP+SSL Breakage When Using libgcrypt
- From: Ken Stailey <kstailey@yahoo.com>
- Date: Sun, 5 Feb 2012 09:45:18 -0800 (PST)
- Cc: DC Ubuntu <Ubuntu-us-dc@lists.ubuntu.com>
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1328463918; bh=F/vbAb8wxK8DNO4Q9dwGBvxDzYAkke+zKz4VPpge1GY=; h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Reply-To:Subject:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding; b=1nZ72+S0eY8qODwnWYHnxDoLefVhhc5VAh4KHdSEjJnNy7Z56bV2X0ecl1Zj8jYHRRodNkGj/0fYWSGpfDRC1zvinyi5dIlGNWzxn+pWJNYNhUhqa54rdPR+n8iOn/gOcAowhJti8YsqOC21p3u+UPPEKbZmHx+5s8W5254BV2U=
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Reply-To:Subject:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding; b=KwI35NXN6GrmPClJhto0okcZO3ops/vyG/UHTvIpTD8hqn1/A4ADwa5WXnbMP8mFmyJBOS1RFdrUWwoXYfyP/lGHe1FAiSfe/3wiuE5UV1UfPRB4u0nCnfRmg0s/z8jQe24zyfI+ng4qQ0+1U7X9OyRP8fUAe30jbq0yYGMwa6s=;
Hi,
I abandoned any efforts to get anyone to hack the broken libgcrypt11
so that it would stop dropping setuid permissions. This was motivated
largely by the fact that upstream GnuTLS started releasing versions
that were intended to stop using libcrypt as the crypto back-end along
with support for multiple crypto back-ends. The preferred crypto library
for GnuTLS is nettle now. This change requires a minimum of
GnuTLS 2.11.x and Ubuntu 12.04 is using GnuTLS 2.12.x.
There were miscellaneous announcements made about this change:
Andreas Metzler
http://lists.debian.org/debian-legal/2011/02/msg00006.html
{{ GnuTLS upstream has added support for different crypto backends in
2.11.x and has chosen nettle as prefered [sic] backend (2.10.x is using
libgcrypt). }}
It works for me, when I configure GnuTLS on Ubuntu 12.04 to use
nettle the painful regression goes away and I can use setuid
binaries from an LDAP account configured to access an LDAP
server via SSL.
To test on Ubuntu 12.04 or Debian Testing or Unstable simply:
apt-get build-dep libgnutls26
apt-get source gnutls26
to fetch the source for gnutls26-2.12.14 (or 2.12.16-1 on Debian)
then chop out
--with-libgcrypt
from the debian/rules file
and rebuild gnutls26
debuild -i -uc -us -b
and install the resulting .deb files.
Much to my chagrin, upstream Debian still configures GnuTLS to use
the horribly defective and rejected-by-upstream libgcrypt11 instead
of the preferred-by-upstream nettle despite both Debian Testing
and Debian Unstable having GnuTLS 2.12.16-1
$ grep with-libgcrypt sid/gnutls26-2.12.16/debian/rules
--cache-file=$(CURDIR)/config.cache --with-libgcrypt \
So I opened two bug reports:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=658739
https://bugs.launchpad.net/bugs/926350
Hope that helps.