The Debian gnutls maintainer points to <http://news.gmane.org/find-root.php?message_id=%3c49654581.3020505%40anl.gov%3e>, which shows how this is a gnutls bug rather than an openldap one. Reopening the gnutls tasks and closing the openldap tasks.
The upstream commit is given here. http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=423fc8b82f2b9aa3ea820cd5cf75d5813dffbbf0 Note, however, that this commit only fixes the problem when passing certain non-default options to gnutls, which are not passed by openldap, to enable use of V1 SSL certificates. Ultimately, these certificate chains worked with OpenLDAP+GnuTLS by accident, not design, as a result of the bug fixed in this security update. Upstream is opposed to changing the default flags to enable V1 certificates because V1 certs are vulnerable to various sorts of attack and GnuTLS is documented to not support these by default. I think it's inappropriate to change the default flags in OpenLDAP for the same reason. If it's determined that enabling V1 certs is the lesser evil, I think it makes more sense to enable them globally than to enable them just in OpenLDAP, since this potentially affects all consumers of libgnutls. As for whether enabling them is the lesser evil, note that the attacks V1 certs are subject to are not a strict subset of the attacks GnuTLS was subject to prior to this security update, so there's no easy choice here. ** Changed in: gnutls26 (Ubuntu Jaunty) Status: Fix Released => Triaged ** Changed in: gnutls26 (Ubuntu Intrepid) Status: Fix Released => Triaged ** Changed in: gnutls13 (Ubuntu Hardy) Status: Fix Released => Triaged ** Changed in: gnutls13 (Ubuntu Gutsy) Status: Fix Released => Triaged ** Changed in: gnutls12 (Ubuntu Dapper) Status: Fix Released => Triaged ** Changed in: openldap (Ubuntu Hardy) Status: Confirmed => Invalid ** Changed in: openldap (Ubuntu Intrepid) Status: Confirmed => Invalid ** Changed in: openldap (Ubuntu Jaunty) Status: Confirmed => Invalid -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
