Package: libgnutls26 Version: 2.2.1-3 Severity: important breaks slapd (ldap caching), ldapsearch, mutt, andanything else linked against the gnutls library.
While investigating why my slapd ldap caching wasn't working - and remote ldap authentication started failing, I found this in the ldapsearch debug output: TLS: can't connect: A TLS packet with unexpected length was received.. To isolate the problem source, I installed gnutls-bin and compared gnutlts-cli and openssl s_client output: $ gnutls-cli -p 636 bluepages.ibm.com Resolving 'bluepages.ibm.com'... Connecting to '9.17.186.253:636'... *** Fatal error: A TLS packet with unexpected length was received. *** Handshake has failed GNUTLS ERROR: A TLS packet with unexpected length was received $ openssl s_client -connect bluepages.ibm.com:636 CONNECTED(00000003) depth=1 /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority verify error:num=19:self signed certificate in certificate chain verify return:0 ... $ gnutls-cli -p 443 w3.ibm.com Resolving 'w3.ibm.com'... Connecting to '9.17.137.11:443'... *** Fatal error: A TLS packet with unexpected length was received. *** Handshake has failed GNUTLS ERROR: A TLS packet with unexpected length was received. $ openssl s_client -connect w3.ibm.com:443 CONNECTED(00000003) depth=1 /C=US/O=Equifax/OU=Equifax Secure Certificate Authority verify error:num=19:self signed certificate in certificate chain verify return:0 ... I don't know if it'll help, but here is the gnutls debug output for one of the sites (the other appears pretty much the same) $ gnutls-cli-debug -p 636 bluepages.ibm.com Resolving 'bluepages.ibm.com'... Connecting to '9.17.186.253:636'... Checking for TLS 1.1 support... no Checking fallback from TLS 1.1 to... failed Checking for TLS 1.0 support... yes Checking for SSL 3.0 support... yes Checking for HTTPS server name... not checked Checking for version rollback bug in RSA PMS... no Checking for version rollback bug in Client Hello... no Checking whether we need to disable TLS 1.0... N/A Checking whether the server ignores the RSA PMS version... no Checking whether the server can accept Hello Extensions... no Checking whether the server can accept cipher suites not in SSL 3.0 spec... yes Checking whether the server can accept a bogus TLS record version in the client hello... no Checking for certificate information... N/A Checking for trusted CAs... N/A Checking whether the server understands TLS closure alerts... yes Checking whether the server supports session resumption... no Checking for export-grade ciphersuite support... yes Checking RSA-export ciphersuite info... N/A Checking for anonymous authentication support... no Checking anonymous Diffie Hellman group info... N/A Checking for ephemeral Diffie Hellman support... no Checking ephemeral Diffie Hellman group info... N/A Checking for AES cipher support (TLS extension)... yes Checking for CAMELLIA cipher support (TLS extension)... no Checking for 3DES cipher support... yes Checking for ARCFOUR 128 cipher support... yes Checking for ARCFOUR 40 cipher support... yes Checking for MD5 MAC support... yes Checking for SHA1 MAC support... yes Checking for ZLIB compression support (TLS extension)... no Checking for LZO compression support (GnuTLS extension)... no Checking for max record size (TLS extension)... no Checking for SRP authentication support (TLS extension)... yes Checking for OpenPGP authentication support (TLS extension)... no -- System Information: Debian Release: lenny/sid APT prefers testing-proposed-updates APT policy: (500, 'testing-proposed-updates'), (500, 'proposed-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.24.2 (SMP w/1 CPU core; PREEMPT) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/bash Versions of packages libgnutls26 depends on: ii libc6 2.7-8 GNU C Library: Shared libraries ii libgcrypt11 1.4.0-3 LGPL Crypto library - runtime libr ii libgpg-error0 1.4-2 library for common error values an ii libopencdk10 0.6.6-1 Open Crypto Development Kit (OpenC ii libtasn1-3 1.3-1 Manage ASN.1 structures (runtime) ii zlib1g 1:1.2.3.3.dfsg-11 compression library - runtime libgnutls26 recommends no packages. -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
