gnutls fails to use Verisign CA cert without a Basic Constraint
Douglas E. Engert
deengert at anl.gov
Thu Jan 8 01:14:57 CET 2009
This is also being submitted to https://bugs.launchpad.net/bugs
Using the Ubuntu version of libgnutls13_2.0.4-1ubuntu2.3 on Hardy 8.04.1,
ldaps: has stopped working. This looks like it is related to
the December changes that are also in gnutls-2.6.3. See attached
patch that should work in both.
ldapsearch -d 1 -H ldaps://...
TLS: peer cert untrusted or revoked (0x82)
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
The OpenLDAP ldap server certificate issued by Verisign is signed by:
which is signed by:
Both of these are in /etc/ssl/certs as 7651b327.0 and f0a38a80.0
is a self signed version 1 cert issued in 1996, with no extensions.
In lib/x509/verify.c gnutls_x509_crt_get_ca_status is called
but returns GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE as there is no
The attached patch (to gnutls13_2.0.4-1ubuntu2.3) checks for
this return and if it is a self signed cert, will treat it as a CA.
The patch looks like it can be applied to 2.6.3 as well.
Clients on Solaris 9 and 10, and OpenLDAP using OpenSSL on any
platform have no problems with this old cert.
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
More information about the Gnutls-devel