gnutls fails to use Verisign CA cert without a Basic Constraint

Douglas E. Engert deengert at anl.gov
Thu Jan 8 01:14:57 CET 2009


This is also being submitted to https://bugs.launchpad.net/bugs

Using the Ubuntu version of libgnutls13_2.0.4-1ubuntu2.3 on Hardy 8.04.1,
ldaps: has stopped working. This looks like it is related to
the December changes that are also in gnutls-2.6.3. See attached
patch that should work in both.

ldapsearch -d 1  -H ldaps://...

TLS: peer cert untrusted or revoked (0x82)
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)


The OpenLDAP ldap server certificate issued by Verisign is signed by:

Verisign_Intermediate-Secure_Site_Managed_PKI_for_SSL_Standard_Certificates.pem

which is signed by:
Verisign_Class_3_Public_Primary_Certification_Authority.pem

Both of these are in /etc/ssl/certs as 7651b327.0 and f0a38a80.0

Verisign_Class_3_Public_Primary_Certification_Authority.pem
is a self signed version 1 cert issued in 1996, with no extensions.

In lib/x509/verify.c  gnutls_x509_crt_get_ca_status is called
but returns GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE as there is no
Basic Constraint.

The attached patch (to gnutls13_2.0.4-1ubuntu2.3) checks for
this return and if it is a self signed cert, will treat it as a CA.
The patch looks like it can be applied to 2.6.3 as well.

Clients on Solaris 9 and 10, and OpenLDAP using OpenSSL on any
platform have no problems with this old cert.




-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: gnutls.verify.patch.txt
URL: </pipermail/attachments/20090107/9b64b494/attachment.txt>


More information about the Gnutls-devel mailing list