gnutls fails to use Verisign CA cert without a Basic Constraint

Douglas E. Engert deengert at
Thu Jan 8 01:14:57 CET 2009

This is also being submitted to

Using the Ubuntu version of libgnutls13_2.0.4-1ubuntu2.3 on Hardy 8.04.1,
ldaps: has stopped working. This looks like it is related to
the December changes that are also in gnutls-2.6.3. See attached
patch that should work in both.

ldapsearch -d 1  -H ldaps://...

TLS: peer cert untrusted or revoked (0x82)
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

The OpenLDAP ldap server certificate issued by Verisign is signed by:


which is signed by:

Both of these are in /etc/ssl/certs as 7651b327.0 and f0a38a80.0

is a self signed version 1 cert issued in 1996, with no extensions.

In lib/x509/verify.c  gnutls_x509_crt_get_ca_status is called
but returns GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE as there is no
Basic Constraint.

The attached patch (to gnutls13_2.0.4-1ubuntu2.3) checks for
this return and if it is a self signed cert, will treat it as a CA.
The patch looks like it can be applied to 2.6.3 as well.

Clients on Solaris 9 and 10, and OpenLDAP using OpenSSL on any
platform have no problems with this old cert.


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: gnutls.verify.patch.txt
URL: </pipermail/attachments/20090107/9b64b494/attachment.txt>

More information about the Gnutls-devel mailing list