Package: libgnutls13 Version: 1.4.4-3+etch3 Severity: important After the upgrade all embedded uses of LDAP fail with connection errors. On investigations these seem to be caused by certificate validation problems.
This was first noticed with nss_ldap. After enabling debugging, running `getent group` produced error messages like: TLS certificate verification: depth: 0, err: 130, subject: <snip DN/> TLS certificate verification: Error, Unknown error Similar problems occur for pam_ldap and apache mod_authnz_ldap. Strangely, gnutls-cli verifies the server certificate with no problems. The error was first seen in a STARTTLS only configuration. I have since enabled ldaps to ease testing with gnutls-cli and confirmed it still affects nss_ldap and apache switched to ldaps. The root (trusted) certificate of our cert chain is an x509v1 cert, however I'd expect gnutls-cli to complain if this were the issue. -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (x86_64) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-6-xen-amd64 Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Versions of packages libgnutls13 depends on: ii libc6 2.3.6.ds1-13etch8 GNU C Library: Shared libraries ii libgcrypt11 1.2.3-2 LGPL Crypto library - runtime libr ii libgpg-error0 1.4-1 library for common error values an ii liblzo1 1.08-3 data compression library (old vers ii libopencdk8 0.5.9-2 Open Crypto Development Kit (OpenC ii libtasn1-3 0.3.6-2 Manage ASN.1 structures (runtime) ii zlib1g 1:1.2.3-13 compression library - runtime libgnutls13 recommends no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
