On Tue, 12 Feb 2008, Andrew Reid wrote:
Package: libnss-ldap
Version: 258-1b+1
This certainly appears to be an OpenSSL issue, not libnss-ldap
Running "id <valid-username>" with a "debug 9999" line added
to /etc/libnss-ldap.conf gives a message part way through
stating "TLS: peer certificate is expired", but running
"openssl -x509 -text -in /etc/ldap/cacerts/cacert.pem" shows
that the certificate's validity period extends from October 2006
through October 2016. "date" on the lenny client gives the
correct date.
Since the message deals with the peer certificate, you need
to verify not the local cacert certificate - but the LDAP server
certificate itself.
Please try this on both releases:
openssl s_client -connect <LDAP_SERVER_FQDN>:ldaps
My personal suspicion is that some security default has changed,
or possibly that I'm missing an optional library or cipher method
or something, and this is possibly a migration issue. I would
appreciate any assistance you could offer with that.
The OpenSSL libraries have gone through a few revisions over the
timespan of these releases and something may have changed... It is
very unlikely that you'd be missing any libraries; Dependancies are
something Debian excels at
In any case, it seems clear to me that, at a minimum, the
certificate status is being misreported.
Possibly, but we'll know more after the above tests
--
Rick Nelson
"And the next time you consider complaining that running Lucid Emacs
19.05 via NFS from a remote Linux machine in Paraguay doesn't seem to
get the background colors right, you'll know who to thank."
(By Matt Welsh)
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
