Edward Allcutt <emall...@gleim.com> writes: > Package: libgnutls13 > Version: 1.4.4-3+etch3 > Severity: important > > After the upgrade all embedded uses of LDAP fail with connection errors. > On investigations these seem to be caused by certificate validation > problems. > > This was first noticed with nss_ldap. After enabling debugging, running > `getent group` produced error messages like: > TLS certificate verification: depth: 0, err: 130, subject: <snip DN/> > TLS certificate verification: Error, Unknown error > > Similar problems occur for pam_ldap and apache mod_authnz_ldap. > Strangely, gnutls-cli verifies the server certificate with no problems. > > The error was first seen in a STARTTLS only configuration. I have since > enabled ldaps to ease testing with gnutls-cli and confirmed it still > affects nss_ldap and apache switched to ldaps. > > The root (trusted) certificate of our cert chain is an x509v1 cert, however > I'd > expect gnutls-cli to complain if this were the issue.
Please post output from 'gnutls-cli -p 663 your.ldap.server -d 4711 --print-cert' replacing your.ldap.server as appropriate. I suspect the problem is that you have a RSA-MD5 signature somewhere in the certificate chain. /Simon -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
