LDAP over SSL does not work with Ubuntu Prolonged Pain
Thorsten Glaser
t.glaser at tarent.de
Thu May 10 13:59:29 CEST 2012
Hi,
we’ve got a range of systems in existence, from Debian etch
(formerly sarge) to sid, and Kubuntu hardy (formerly dapper)
to precise.
Now, their latest release, prolonged pain precisely, fails to
connect to our LDAP server (Univention Corporate Server 2.4),
whereas it works with OpenSSL. I’ve had similar issues in hardy
where a “security” update broke things due to GnuTLS, but this
is new, and somehow gnutls-cli lacks the usual debugging output.
root at foo-test:~ # openssl s_client -CAfile /etc/ssl/certs/ca-c* -connect dc.lan.tarent.de:636
CONNECTED(00000003)
depth=1 C = DE, ST = NRW, L = Bonn, O = tarent GmbH, OU = IT, CN = Univention Corporate Server Root CA, emailAddress = admins at tarent.de
verify return:1
depth=0 C = DE, ST = NRW, L = Bonn, O = tarent GmbH, OU = IT, CN = dc.lan.tarent.de, emailAddress = admins at tarent.de
verify return:1
---
Certificate chain
0 s:/C=DE/ST=NRW/L=Bonn/O=tarent GmbH/OU=IT/CN=dc.lan.tarent.de/emailAddress=admins at tarent.de
i:/C=DE/ST=NRW/L=Bonn/O=tarent GmbH/OU=IT/CN=Univention Corporate Server Root CA/emailAddress=admins at tarent.de
1 s:/C=DE/ST=NRW/L=Bonn/O=tarent GmbH/OU=IT/CN=Univention Corporate Server Root CA/emailAddress=admins at tarent.de
i:/C=DE/ST=NRW/L=Bonn/O=tarent GmbH/OU=IT/CN=Univention Corporate Server Root CA/emailAddress=admins at tarent.de
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEITCCAwmgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBnDELMAkGA1UEBhMCREUx
DDAKBgNVBAgTA05SVzENMAsGA1UEBxMEQm9ubjEUMBIGA1UEChMLdGFyZW50IEdt
YkgxCzAJBgNVBAsTAklUMSwwKgYDVQQDEyNVbml2ZW50aW9uIENvcnBvcmF0ZSBT
ZXJ2ZXIgUm9vdCBDQTEfMB0GCSqGSIb3DQEJARYQYWRtaW5zQHRhcmVudC5kZTAe
Fw0xMTAyMDcxMDI0MjlaFw0xNjAyMDYxMDI0MjlaMIGJMQswCQYDVQQGEwJERTEM
MAoGA1UECBMDTlJXMQ0wCwYDVQQHEwRCb25uMRQwEgYDVQQKEwt0YXJlbnQgR21i
SDELMAkGA1UECxMCSVQxGTAXBgNVBAMTEGRjLmxhbi50YXJlbnQuZGUxHzAdBgkq
hkiG9w0BCQEWEGFkbWluc0B0YXJlbnQuZGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0A
MIGJAoGBALec1kjx6ebHDWjNZ47DFCk91oMR0JU7dWKdDcJnX4NpIClXfYmfT5lU
1nIdEVkaG9vqAEgv1tXGVh78y5HENvjMoqndNK0vZuuJ+huoV5oLdfHaDKfQ9HM9
zyQedZVvu3/BZRI2ZOustxQrbZk/BbY2zEGZ+vtSiUaUgy2sNBPvAgMBAAGjggEB
MIH+MAkGA1UdEwQCMAAwHQYDVR0OBBYEFIX4Fy+mIvJiFcXakJKmS6d+AH+mMIHR
BgNVHSMEgckwgcaAFGGbZa17dyVam6QIMlB3SSrW3R12oYGipIGfMIGcMQswCQYD
VQQGEwJERTEMMAoGA1UECBMDTlJXMQ0wCwYDVQQHEwRCb25uMRQwEgYDVQQKEwt0
YXJlbnQgR21iSDELMAkGA1UECxMCSVQxLDAqBgNVBAMTI1VuaXZlbnRpb24gQ29y
cG9yYXRlIFNlcnZlciBSb290IENBMR8wHQYJKoZIhvcNAQkBFhBhZG1pbnNAdGFy
ZW50LmRlggkAnXueqx7HokkwDQYJKoZIhvcNAQEFBQADggEBACM2aAg5fCBucTeX
RLy7tq8wb33nkPs9Ai2IyUSkdk5lIarNapKApYZKnX7cWrpNiGejG6lLyYXwS9oo
QQs94SnLt3583sL+VTxST3Xj4sQicbkZW+I/QX+Y3sACvhibDEawXHZPCzMQxNgk
LvBsaM7uAo7HhzoPVQlM32rg3mXX7Nsunv31hw/WjKHI0MW8YfBIPf3o40GGnDcn
QRFhzYQY3u+bYKz0qzy1YfQxjvqFBnrJJFC1m9wfZs9dfAjkDb5TDVTKR1y1sEaU
g2SrN46OVYEygNqlSTJdcgxcFWSrS1W3yrtBoduP8xqyWePasO3TTHWkNIwfKnPm
0HJAFlU=
-----END CERTIFICATE-----
subject=/C=DE/ST=NRW/L=Bonn/O=tarent GmbH/OU=IT/CN=dc.lan.tarent.de/emailAddress=admins at tarent.de
issuer=/C=DE/ST=NRW/L=Bonn/O=tarent GmbH/OU=IT/CN=Univention Corporate Server Root CA/emailAddress=admins at tarent.de
---
No client certificate CA names sent
---
SSL handshake has read 2755 bytes and written 424 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: 8C490472FCC8CC171EC84BF3DE01F1350331F3B07609F84A140C60DBEA18ECDD
Session-ID-ctx:
Master-Key: 97C718741EDBC258C73313979B1992F4FCDC400948A143B6BC68D0C2465CF6CE948BEB22E4013E05595986326BF3657D
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket:
0000 - 30 2c d0 40 e2 10 8a f3-01 23 47 48 d8 f8 0c 68 0,. at .....#GH...h
0010 - 7e e8 47 02 9a 25 b3 17-2f c9 ca 04 1c 4c fa 6c ~.G..%../....L.l
0020 - 95 32 82 57 c6 4c b4 0e-bd 0a 64 fa 06 ab 1f 8b .2.W.L....d.....
0030 - f1 aa f1 43 03 ba 70 67-4d de e6 56 fc 9e 9b ce ...C..pgM..V....
0040 - c9 90 f5 f3 a5 33 d5 a6-99 a0 e9 8a 3f 12 8e 9d .....3......?...
0050 - 32 86 2f a0 89 a5 a0 30-2f 4b 85 4e d2 ec b4 0a 2./....0/K.N....
0060 - 92 35 2b ba 12 6f 5c aa-a2 6d e4 b0 c7 5e d8 27 .5+..o\..m...^.'
0070 - 95 cf 22 8d 9a f5 1d 25-f5 a8 7d 22 62 4b b2 70 .."....%..}"bK.p
0080 - c9 e8 7d 86 d3 5b 0b f1-24 34 1c e8 2e 8f f9 ca ..}..[..$4......
0090 - 70 70 d8 a1 99 49 0b b0-63 5e 13 e6 4a 41 87 70 pp...I..c^..JA.p
Compression: 1 (zlib compression)
Start Time: 1336645861
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
QUIT
DONE
root at foo-test:~ # gnutls-cli -V -d 4711 -p 636 --x509cafile /etc/ssl/certs/ca-c* dc.lan.tarent.de
Processed 407 CA certificate(s).
Resolving 'dc.lan.tarent.de'...
Connecting to '172.26.100.1:636'...
|<4>| REC[0x11d0210]: Allocating epoch #0
|<2>| ASSERT: gnutls_constate.c:695
|<4>| REC[0x11d0210]: Allocating epoch #1
|<3>| HSK[0x11d0210]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA1
|<3>| HSK[0x11d0210]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA256
|<3>| HSK[0x11d0210]: Keeping ciphersuite: DHE_RSA_CAMELLIA_128_CBC_SHA1
|<3>| HSK[0x11d0210]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA1
|<3>| HSK[0x11d0210]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA256
|<3>| HSK[0x11d0210]: Keeping ciphersuite: DHE_RSA_CAMELLIA_256_CBC_SHA1
|<3>| HSK[0x11d0210]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[0x11d0210]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA1
|<3>| HSK[0x11d0210]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA256
|<3>| HSK[0x11d0210]: Keeping ciphersuite: DHE_DSS_CAMELLIA_128_CBC_SHA1
|<3>| HSK[0x11d0210]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA1
|<3>| HSK[0x11d0210]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA256
|<3>| HSK[0x11d0210]: Keeping ciphersuite: DHE_DSS_CAMELLIA_256_CBC_SHA1
|<3>| HSK[0x11d0210]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1
|<3>| HSK[0x11d0210]: Keeping ciphersuite: DHE_DSS_ARCFOUR_SHA1
|<3>| HSK[0x11d0210]: Keeping ciphersuite: RSA_AES_128_CBC_SHA1
|<3>| HSK[0x11d0210]: Keeping ciphersuite: RSA_AES_128_CBC_SHA256
|<3>| HSK[0x11d0210]: Keeping ciphersuite: RSA_CAMELLIA_128_CBC_SHA1
|<3>| HSK[0x11d0210]: Keeping ciphersuite: RSA_AES_256_CBC_SHA1
|<3>| HSK[0x11d0210]: Keeping ciphersuite: RSA_AES_256_CBC_SHA256
|<3>| HSK[0x11d0210]: Keeping ciphersuite: RSA_CAMELLIA_256_CBC_SHA1
|<3>| HSK[0x11d0210]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[0x11d0210]: Keeping ciphersuite: RSA_ARCFOUR_SHA1
|<3>| HSK[0x11d0210]: Keeping ciphersuite: RSA_ARCFOUR_MD5
|<2>| EXT[0x11d0210]: Sending extension SERVER NAME (21 bytes)
|<2>| EXT[0x11d0210]: Sending extension SAFE RENEGOTIATION (1 bytes)
|<2>| EXT[0x11d0210]: Sending extension SESSION TICKET (0 bytes)
|<2>| EXT[SIGA]: sent signature algo (4.2) DSA-SHA256
|<2>| EXT[SIGA]: sent signature algo (4.1) RSA-SHA256
|<2>| EXT[SIGA]: sent signature algo (2.1) RSA-SHA1
|<2>| EXT[SIGA]: sent signature algo (2.2) DSA-SHA1
|<2>| EXT[0x11d0210]: Sending extension SIGNATURE ALGORITHMS (10 bytes)
|<3>| HSK[0x11d0210]: CLIENT HELLO was sent [141 bytes]
|<6>| BUF[HSK]: Inserted 141 bytes of Data
|<7>| HWRITE: enqueued 141. Total 141 bytes.
|<7>| HWRITE FLUSH: 141 bytes in buffer.
|<4>| REC[0x11d0210]: Sending Packet[0] Handshake(22) with length: 141
|<7>| WRITE: enqueued 146 bytes for 0x4. Total 146 bytes.
|<4>| REC[0x11d0210]: Sent Packet[1] Handshake(22) with length: 146
|<7>| HWRITE: wrote 141 bytes, 0 bytes left.
|<7>| WRITE FLUSH: 146 bytes in buffer.
|<7>| WRITE: wrote 146 bytes, 0 bytes left.
|<7>| READ: Got 5 bytes from 0x4
|<7>| READ: read 5 bytes from 0x4
|<7>| RB: Have 0 bytes into buffer. Adding 5 bytes.
|<7>| RB: Requested 5 bytes
|<4>| REC[0x11d0210]: Expected Packet[0] Handshake(22) with length: 1
|<4>| REC[0x11d0210]: Received Packet[0] Handshake(22) with length: 53
|<7>| READ: Got 53 bytes from 0x4
|<7>| READ: read 53 bytes from 0x4
|<7>| RB: Have 5 bytes into buffer. Adding 53 bytes.
|<7>| RB: Requested 58 bytes
|<4>| REC[0x11d0210]: Decrypted Packet[0] Handshake(22) with length: 53
|<6>| BUF[HSK]: Inserted 53 bytes of Data(22)
|<6>| BUF[REC][HD]: Read 1 bytes of Data(22)
|<6>| BUF[REC][HD]: Read 3 bytes of Data(22)
|<3>| HSK[0x11d0210]: SERVER HELLO was received [53 bytes]
|<6>| BUF[REC][HD]: Read 49 bytes of Data(22)
|<6>| BUF[HSK]: Inserted 4 bytes of Data
|<6>| BUF[HSK]: Inserted 49 bytes of Data
|<3>| HSK[0x11d0210]: Server's version: 3.1
|<3>| HSK[0x11d0210]: SessionID length: 0
|<3>| HSK[0x11d0210]: SessionID: 00
|<3>| HSK[0x11d0210]: Selected cipher suite: RSA_AES_128_CBC_SHA1
|<2>| EXT[0x11d0210]: Parsing extension 'SAFE RENEGOTIATION/65281' (1 bytes)
|<2>| EXT[0x11d0210]: Parsing extension 'SESSION TICKET/35' (0 bytes)
|<3>| HSK[0x11d0210]: Safe renegotiation succeeded
|<7>| READ: Got 5 bytes from 0x4
|<7>| READ: read 5 bytes from 0x4
|<7>| RB: Have 0 bytes into buffer. Adding 5 bytes.
|<7>| RB: Requested 5 bytes
|<4>| REC[0x11d0210]: Expected Packet[1] Handshake(22) with length: 1
|<4>| REC[0x11d0210]: Received Packet[1] Handshake(22) with length: 2449
|<7>| READ: Got 2449 bytes from 0x4
|<7>| READ: read 2449 bytes from 0x4
|<7>| RB: Have 5 bytes into buffer. Adding 2449 bytes.
|<7>| RB: Requested 2454 bytes
|<4>| REC[0x11d0210]: Decrypted Packet[1] Handshake(22) with length: 2449
|<6>| BUF[HSK]: Inserted 2449 bytes of Data(22)
|<6>| BUF[REC][HD]: Read 1 bytes of Data(22)
|<6>| BUF[REC][HD]: Read 3 bytes of Data(22)
|<3>| HSK[0x11d0210]: CERTIFICATE was received [2449 bytes]
|<6>| BUF[REC][HD]: Read 2445 bytes of Data(22)
|<6>| BUF[HSK]: Peeked 194 bytes of Data
|<6>| BUF[HSK]: Emptied buffer
|<6>| BUF[HSK]: Inserted 4 bytes of Data
|<6>| BUF[HSK]: Inserted 2445 bytes of Data
|<2>| ASSERT: ext_signature.c:388
|<2>| ASSERT: ext_signature.c:388
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: mpi.c:609
|<2>| ASSERT: gnutls_pk.c:266
|<2>| ASSERT: verify.c:730
|<2>| ASSERT: verify.c:857
|<2>| ASSERT: verify.c:1011
|<2>| ASSERT: verify.c:373
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: verify.c:552
*** Verifying server certificate failed...
|<2>| ASSERT: gnutls_kx.c:705
|<2>| ASSERT: gnutls_handshake.c:2777
|<6>| BUF[HSK]: Cleared Data from buffer
*** Fatal error: Error in the certificate.
|<4>| REC: Sending Alert[2|42] - Certificate is bad
|<4>| REC[0x11d0210]: Sending Packet[1] Alert(21) with length: 2
|<7>| WRITE: enqueued 7 bytes for 0x4. Total 7 bytes.
|<7>| WRITE FLUSH: 7 bytes in buffer.
|<7>| WRITE: wrote 7 bytes, 0 bytes left.
|<4>| REC[0x11d0210]: Sent Packet[2] Alert(21) with length: 7
*** Handshake has failed
GnuTLS error: Error in the certificate.
|<6>| BUF[HSK]: Cleared Data from buffer
|<4>| REC[0x11d0210]: Epoch #0 freed
|<4>| REC[0x11d0210]: Epoch #1 freed
Versions:
# dpkg-query -W gnutls-bin libgnutls2{6,8}
gnutls-bin 3.0.11+really2.12.14-5ubuntu3
libgnutls26 2.12.14-5ubuntu3
No packages found matching libgnutls28.
Debian sid for comparison has:
root at tglase-amd64:~ # dpkg-query -W gnutls-bin libgnutls2{6,8}
gnutls-bin 3.0.19-2
libgnutls26:amd64 2.12.19-1
libgnutls28:amd64 3.0.19-2
root at tglase-amd64:~ # gnutls-cli -V -p 636 --x509cafile /etc/ssl/certs/ca-c* dc.lan.tarent.de
Processed 407 CA certificate(s).
Resolving 'dc.lan.tarent.de'...
Connecting to '172.26.100.1:636'...
- Peer's certificate is trusted
- The hostname in the certificate matches 'dc.lan.tarent.de'.
- Session ID: 4F:07:04:93:B6:2A:AB:BA:CF:3A:6F:D0:78:DB:17:91:CF:4F:09:3F:58:98:19:DA:89:A0:CB:C6:93:E9:FC:36
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
- X.509 Certificate Information:
Version: 3
Serial Number (hex): 01
Issuer: C=DE,ST=NRW,L=Bonn,O=tarent GmbH,OU=IT,CN=Univention Corporate Server Root CA,EMAIL=admins at tarent.de
Validity:
Not Before: Mon Feb 07 10:24:29 UTC 2011
Not After: Sat Feb 06 10:24:29 UTC 2016
Subject: C=DE,ST=NRW,L=Bonn,O=tarent GmbH,OU=IT,CN=dc.lan.tarent.de,EMAIL=admins at tarent.de
Subject Public Key Algorithm: RSA
Certificate Security Level: Low (1024 bits)
Modulus (bits 1024):
00:b7:9c:d6:48:f1:e9:e6:c7:0d:68:cd:67:8e:c3:14
29:3d:d6:83:11:d0:95:3b:75:62:9d:0d:c2:67:5f:83
69:20:29:57:7d:89:9f:4f:99:54:d6:72:1d:11:59:1a
1b:db:ea:00:48:2f:d6:d5:c6:56:1e:fc:cb:91:c4:36
f8:cc:a2:a9:dd:34:ad:2f:66:eb:89:fa:1b:a8:57:9a
0b:75:f1:da:0c:a7:d0:f4:73:3d:cf:24:1e:75:95:6f
bb:7f:c1:65:12:36:64:eb:ac:b7:14:2b:6d:99:3f:05
b6:36:cc:41:99:fa:fb:52:89:46:94:83:2d:ac:34:13
ef
Exponent (bits 24):
01:00:01
Extensions:
Basic Constraints (not critical):
Certificate Authority (CA): FALSE
Subject Key Identifier (not critical):
85f8172fa622f26215c5da9092a64ba77e007fa6
Authority Key Identifier (not critical):
619b65ad7b77255a9ba408325077492ad6dd1d76
Signature Algorithm: RSA-SHA1
Signature:
23:36:68:08:39:7c:20:6e:71:37:97:44:bc:bb:b6:af
30:6f:7d:e7:90:fb:3d:02:2d:88:c9:44:a4:76:4e:65
21:aa:cd:6a:92:80:a5:86:4a:9d:7e:dc:5a:ba:4d:88
67:a3:1b:a9:4b:c9:85:f0:4b:da:28:41:0b:3d:e1:29
cb:b7:7e:7c:de:c2:fe:55:3c:52:4f:75:e3:e2:c4:22
71:b9:19:5b:e2:3f:41:7f:98:de:c0:02:be:18:9b:0c
46:b0:5c:76:4f:0b:33:10:c4:d8:24:2e:f0:6c:68:ce
ee:02:8e:c7:87:3a:0f:55:09:4c:df:6a:e0:de:65:d7
ec:db:2e:9e:fd:f5:87:0f:d6:8c:a1:c8:d0:c5:bc:61
f0:48:3d:fd:e8:e3:41:86:9c:37:27:41:11:61:cd:84
18:de:ef:9b:60:ac:f4:ab:3c:b5:61:f4:31:8e:fa:85
06:7a:c9:24:50:b5:9b:dc:1f:66:cf:5d:7c:08:e4:0d
be:53:0d:54:ca:47:5c:b5:b0:46:94:83:64:ab:37:8e
8e:55:81:32:80:da:a5:49:32:5d:72:0c:5c:15:64:ab
4b:55:b7:ca:bb:41:a1:db:8f:f3:1a:b2:59:e3:da:b0
ed:d3:4c:75:a4:34:8c:1f:2a:73:e6:d0:72:40:16:55
Other Information:
SHA-1 fingerprint:
c11f5038e915c4cdf36743bc39b62ff60be8fdbf
Public Key Id:
d7b3d676cb339e976809b438a12e7bf0f30c5ba5
Public key's random art:
+--[ RSA 1024]----+
| |
| |
| |
| . o |
| S =.+ |
| . . +oo + |
| +. E. + = o|
| . == . =.=+|
| .+.oo . .=+|
+-----------------+
-----BEGIN CERTIFICATE-----
MIIEITCCAwmgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBnDELMAkGA1UEBhMCREUx
DDAKBgNVBAgTA05SVzENMAsGA1UEBxMEQm9ubjEUMBIGA1UEChMLdGFyZW50IEdt
YkgxCzAJBgNVBAsTAklUMSwwKgYDVQQDEyNVbml2ZW50aW9uIENvcnBvcmF0ZSBT
ZXJ2ZXIgUm9vdCBDQTEfMB0GCSqGSIb3DQEJARYQYWRtaW5zQHRhcmVudC5kZTAe
Fw0xMTAyMDcxMDI0MjlaFw0xNjAyMDYxMDI0MjlaMIGJMQswCQYDVQQGEwJERTEM
MAoGA1UECBMDTlJXMQ0wCwYDVQQHEwRCb25uMRQwEgYDVQQKEwt0YXJlbnQgR21i
SDELMAkGA1UECxMCSVQxGTAXBgNVBAMTEGRjLmxhbi50YXJlbnQuZGUxHzAdBgkq
hkiG9w0BCQEWEGFkbWluc0B0YXJlbnQuZGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0A
MIGJAoGBALec1kjx6ebHDWjNZ47DFCk91oMR0JU7dWKdDcJnX4NpIClXfYmfT5lU
1nIdEVkaG9vqAEgv1tXGVh78y5HENvjMoqndNK0vZuuJ+huoV5oLdfHaDKfQ9HM9
zyQedZVvu3/BZRI2ZOustxQrbZk/BbY2zEGZ+vtSiUaUgy2sNBPvAgMBAAGjggEB
MIH+MAkGA1UdEwQCMAAwHQYDVR0OBBYEFIX4Fy+mIvJiFcXakJKmS6d+AH+mMIHR
BgNVHSMEgckwgcaAFGGbZa17dyVam6QIMlB3SSrW3R12oYGipIGfMIGcMQswCQYD
VQQGEwJERTEMMAoGA1UECBMDTlJXMQ0wCwYDVQQHEwRCb25uMRQwEgYDVQQKEwt0
YXJlbnQgR21iSDELMAkGA1UECxMCSVQxLDAqBgNVBAMTI1VuaXZlbnRpb24gQ29y
cG9yYXRlIFNlcnZlciBSb290IENBMR8wHQYJKoZIhvcNAQkBFhBhZG1pbnNAdGFy
ZW50LmRlggkAnXueqx7HokkwDQYJKoZIhvcNAQEFBQADggEBACM2aAg5fCBucTeX
RLy7tq8wb33nkPs9Ai2IyUSkdk5lIarNapKApYZKnX7cWrpNiGejG6lLyYXwS9oo
QQs94SnLt3583sL+VTxST3Xj4sQicbkZW+I/QX+Y3sACvhibDEawXHZPCzMQxNgk
LvBsaM7uAo7HhzoPVQlM32rg3mXX7Nsunv31hw/WjKHI0MW8YfBIPf3o40GGnDcn
QRFhzYQY3u+bYKz0qzy1YfQxjvqFBnrJJFC1m9wfZs9dfAjkDb5TDVTKR1y1sEaU
g2SrN46OVYEygNqlSTJdcgxcFWSrS1W3yrtBoduP8xqyWePasO3TTHWkNIwfKnPm
0HJAFlU=
-----END CERTIFICATE-----
- Certificate[1] info:
- X.509 Certificate Information:
Version: 3
Serial Number (hex): 009d7b9eab1ec7a249
Issuer: C=DE,ST=NRW,L=Bonn,O=tarent GmbH,OU=IT,CN=Univention Corporate Server Root CA,EMAIL=admins at tarent.de
Validity:
Not Before: Mon Feb 07 10:24:29 UTC 2011
Not After: Wed Feb 06 10:24:29 UTC 2013
Subject: C=DE,ST=NRW,L=Bonn,O=tarent GmbH,OU=IT,CN=Univention Corporate Server Root CA,EMAIL=admins at tarent.de
Subject Public Key Algorithm: RSA
Certificate Security Level: Legacy (2048 bits)
Modulus (bits 2048):
00:b1:86:75:49:51:8c:0d:19:f4:f5:1d:9e:63:c1:0b
01:04:df:ba:dc:05:bc:49:4e:6c:21:de:7b:2c:a5:dd
bf:89:bd:2f:8e:a6:e1:6a:61:aa:4c:e0:1e:c4:48:5e
04:45:33:b9:d8:1f:99:ab:46:72:f4:42:f7:5a:4a:0d
ec:a6:78:2d:1c:64:63:97:8a:16:90:80:36:9e:30:ac
a0:c1:91:56:e4:6e:ea:38:9d:dd:de:30:a7:e5:6f:40
71:91:90:38:6d:4e:c8:1a:f7:ed:59:6a:b8:96:bf:54
3b:0e:6f:98:61:94:ab:1b:58:4d:db:78:a8:19:38:ea
4e:b6:1c:0b:6d:b3:76:1a:4e:80:c7:68:9b:0b:e3:81
5a:14:5d:ea:61:b5:a1:9d:b1:ec:d8:b7:37:f7:a4:01
d3:13:b7:88:3f:08:9a:43:de:2d:30:f3:ad:60:d3:09
36:b7:08:7e:d6:cf:04:9b:bd:45:ac:55:8f:0b:bc:49
ca:3f:e7:c8:2a:42:3a:05:d5:dd:07:77:10:c2:07:ca
a2:2a:2e:84:a9:6b:b3:b0:f8:79:25:8e:bc:b5:c1:d7
c2:1c:d7:0a:41:b0:55:4f:d0:44:50:d2:15:75:5b:21
dd:a5:24:82:a9:99:63:8b:8d:d5:7d:71:19:31:62:e4
f7
Exponent (bits 24):
01:00:01
Extensions:
Basic Constraints (critical):
Certificate Authority (CA): TRUE
Subject Key Identifier (not critical):
619b65ad7b77255a9ba408325077492ad6dd1d76
Authority Key Identifier (not critical):
619b65ad7b77255a9ba408325077492ad6dd1d76
Key Usage (not critical):
Certificate signing.
CRL signing.
Unknown extension 2.16.840.1.113730.1.1 (not critical):
ASCII: ....
Hexdump: 03020007
Subject Alternative Name (not critical):
RFC822name: admins at tarent.de
Issuer Alternative Name (not critical):
RFC822name: admins at tarent.de
Unknown extension 2.16.840.1.113730.1.13 (not critical):
ASCII: .)This certificate is a Root CA Certificate
Hexdump: 162954686973206365727469666963617465206973206120526f6f74204341204365727469666963617465
Signature Algorithm: RSA-SHA1
Signature:
5b:a1:a8:ec:95:0a:95:40:ed:da:55:79:bb:75:9e:0d
1c:73:dd:dc:e7:79:17:00:57:d7:08:a7:1b:7b:45:f3
e3:7d:41:80:e1:49:4b:34:a1:cc:91:e1:e3:db:20:d9
1f:01:8a:bc:74:10:40:6a:2a:c4:9c:05:d6:1a:27:c0
da:83:81:0e:34:f7:f4:04:c5:68:38:c1:67:74:44:ab
28:ee:a7:54:32:d7:1c:95:eb:90:a6:b9:46:d1:96:05
99:8b:f0:d2:a3:05:43:82:3c:a1:e3:9d:52:b5:94:65
df:df:9d:88:b5:d7:7b:1e:71:28:1e:a1:b2:80:2b:80
57:59:57:e9:3f:10:78:01:45:54:cf:11:3c:6d:3e:ab
50:59:3b:11:82:9a:a8:ad:ca:5a:8f:4a:e2:0c:40:da
84:9f:bc:14:41:31:f7:ec:13:4d:48:b5:1e:96:65:3b
1d:58:49:70:cf:04:f8:57:d3:7e:a3:3a:45:4f:05:78
12:20:a5:b8:3a:5e:d8:17:b1:4c:37:fc:16:4e:d0:3e
b8:ef:18:7d:ed:b2:17:c5:a6:d8:c1:34:84:34:b1:bf
a9:67:f9:fc:82:20:96:6f:39:86:3b:bd:bd:98:52:a1
e8:3d:6f:cb:1d:ff:f0:36:a6:c2:bf:72:3c:9b:65:21
Other Information:
SHA-1 fingerprint:
6da9e3f7bcea0df189a7f599599bc253517a57fc
Public Key Id:
2c1c29def291b0232e96889b4404cdc2cafb5997
Public key's random art:
+--[ RSA 2048]----+
|oo |
|o.o . |
|oo o o |
|o. . * + |
| .o = * S |
|+o.. = E |
|++o o o |
|o+ o |
|o |
+-----------------+
-----BEGIN CERTIFICATE-----
MIIFWzCCBEOgAwIBAgIJAJ17nqsex6JJMA0GCSqGSIb3DQEBBQUAMIGcMQswCQYD
VQQGEwJERTEMMAoGA1UECBMDTlJXMQ0wCwYDVQQHEwRCb25uMRQwEgYDVQQKEwt0
YXJlbnQgR21iSDELMAkGA1UECxMCSVQxLDAqBgNVBAMTI1VuaXZlbnRpb24gQ29y
cG9yYXRlIFNlcnZlciBSb290IENBMR8wHQYJKoZIhvcNAQkBFhBhZG1pbnNAdGFy
ZW50LmRlMB4XDTExMDIwNzEwMjQyOVoXDTEzMDIwNjEwMjQyOVowgZwxCzAJBgNV
BAYTAkRFMQwwCgYDVQQIEwNOUlcxDTALBgNVBAcTBEJvbm4xFDASBgNVBAoTC3Rh
cmVudCBHbWJIMQswCQYDVQQLEwJJVDEsMCoGA1UEAxMjVW5pdmVudGlvbiBDb3Jw
b3JhdGUgU2VydmVyIFJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGFkbWluc0B0YXJl
bnQuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCxhnVJUYwNGfT1
HZ5jwQsBBN+63AW8SU5sId57LKXdv4m9L46m4WphqkzgHsRIXgRFM7nYH5mrRnL0
QvdaSg3spngtHGRjl4oWkIA2njCsoMGRVuRu6jid3d4wp+VvQHGRkDhtTsga9+1Z
ariWv1Q7Dm+YYZSrG1hN23ioGTjqTrYcC22zdhpOgMdomwvjgVoUXephtaGdsezY
tzf3pAHTE7eIPwiaQ94tMPOtYNMJNrcIftbPBJu9RaxVjwu8Sco/58gqQjoF1d0H
dxDCB8qiKi6EqWuzsPh5JY68tcHXwhzXCkGwVU/QRFDSFXVbId2lJIKpmWOLjdV9
cRkxYuT3AgMBAAGjggGcMIIBmDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRh
m2Wte3clWpukCDJQd0kq1t0ddjCB0QYDVR0jBIHJMIHGgBRhm2Wte3clWpukCDJQ
d0kq1t0ddqGBoqSBnzCBnDELMAkGA1UEBhMCREUxDDAKBgNVBAgTA05SVzENMAsG
A1UEBxMEQm9ubjEUMBIGA1UEChMLdGFyZW50IEdtYkgxCzAJBgNVBAsTAklUMSww
KgYDVQQDEyNVbml2ZW50aW9uIENvcnBvcmF0ZSBTZXJ2ZXIgUm9vdCBDQTEfMB0G
CSqGSIb3DQEJARYQYWRtaW5zQHRhcmVudC5kZYIJAJ17nqsex6JJMAsGA1UdDwQE
AwIBBjARBglghkgBhvhCAQEEBAMCAAcwGwYDVR0RBBQwEoEQYWRtaW5zQHRhcmVu
dC5kZTAbBgNVHRIEFDASgRBhZG1pbnNAdGFyZW50LmRlMDgGCWCGSAGG+EIBDQQr
FilUaGlzIGNlcnRpZmljYXRlIGlzIGEgUm9vdCBDQSBDZXJ0aWZpY2F0ZTANBgkq
hkiG9w0BAQUFAAOCAQEAW6Go7JUKlUDt2lV5u3WeDRxz3dzneRcAV9cIpxt7RfPj
fUGA4UlLNKHMkeHj2yDZHwGKvHQQQGoqxJwF1honwNqDgQ409/QExWg4wWd0RKso
7qdUMtccleuQprlG0ZYFmYvw0qMFQ4I8oeOdUrWUZd/fnYi113secSgeobKAK4BX
WVfpPxB4AUVUzxE8bT6rUFk7EYKaqK3KWo9K4gxA2oSfvBRBMffsE01ItR6WZTsd
WElwzwT4V9N+ozpFTwV4EiCluDpe2BexTDf8Fk7QPrjvGH3tshfFptjBNIQ0sb+p
Z/n8giCWbzmGO729mFKh6D1vyx3/8Damwr9yPJtlIQ==
-----END CERTIFICATE-----
- Version: TLS1.0
- Key Exchange: RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
- Channel binding 'tls-unique': a22ef1b76eb9f8b5cd08e865
- Handshake was completed
- Simple Client Mode:
[ cursor here ]
Any ideas welcome. The certificates (CA and LDAP server) are
autogenerated by some Univention scripts, in case someone needs
to know.
Thanks in advance,
//mirabilos (also tg at debian.org)
--
tarent solutions GmbH
Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/
Tel: +49 228 54881-393 • Fax: +49 228 54881-314
HRB AG Bonn 5168 • USt-ID (VAT): DE122264941
Geschäftsführer: Boris Esser, Elmar Geese
More information about the Gnutls-help
mailing list