On 02.03.2011 19:15, Andreas Metzler wrote: >> After the upgrade to version 2.10.4 pam authentication against OpenLDAP >> fails with the following error message: > >> TLS: peer cert untrusted or revoked (0x402) >> TLS: can't connect: (unknown error code). > >> Had to downgrade to 2.8.6 to be able to log in again. > [...] > > Couuld you please show > gnutls-cli --x509cafile wherever-TLS_CACERT-pointsto -p 636 > ldap-server-hostname > > for both 2.8.6 and 2.10.4?
2.8: % gnutls-cli --x509cafile cacert.pem -p 636 canopus Processed 1 CA certificate(s). Resolving 'canopus'... Connecting to '192.168.0.1:636'... - Certificate type: X.509 - Got a certificate list of 2 certificates. - Certificate[0] info: - subject `C=blahblah',issuer `blahblah', RSA key 2048 bits, signed using RSA-SHA, activated `2006-07-26 17:16:08 UTC', expires `2012-07-24 17:16:08 UTC', SHA-1 fingerprint `745024f9629444bd04bbd570e05a0b0d2e3fd662' - Certificate[1] info: - subject `blahblah', issuer `blahblah', RSA key 1024 bits, signed using RSA-SHA, activated `2006-07-22 12:59:58 UTC', expires `2009-07-21 12:59:58 UTC', SHA-1 fingerprint `ec5248b3194be9fda5639b59458962bc9bee32cc' - The hostname in the certificate matches 'canopus'. - Peer's certificate is trusted - Version: TLS1.1 - Key Exchange: RSA - Cipher: AES-256-CBC - MAC: SHA1 - Compression: NULL - Handshake was completed - Simple Client Mode: ^C 2.10: # gnutls-cli --x509cafile cacert.pem -p 636 canopus Processed 1 CA certificate(s). Resolving 'canopus'... Connecting to '192.168.0.1:636'... *** Verifying server certificate failed... *** Fatal error: Error in the certificate. *** Handshake has failed GnuTLS error: Error in the certificate Regards, Vedran -- http://vedranf.net | a8e7a7783ca0d460fee090cc584adc12
<<attachment: vedran_furac.vcf>>
