Debian Bug report logs - #517188
libldap-2.4-2: Only the first certificate in TLS_CACERT is used to verify the server certificate

version graph

Package: libldap-2.4-2; Maintainer for libldap-2.4-2 is Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>; Source for libldap-2.4-2 is src:openldap.

Reported by: Rik Theys <Rik.Theys@esat.kuleuven.be>

Date: Thu, 26 Feb 2009 09:40:54 UTC

Severity: normal

Found in version openldap/2.4.11-1

Done: Matthijs Möhlmann <matthijs@cacholong.nl>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#517188; Package libldap-2.4-2. (Thu, 26 Feb 2009 09:40:58 GMT) Full text and rfc822 format available.

Acknowledgement sent to Rik Theys <Rik.Theys@esat.kuleuven.be>:
New Bug report received and forwarded. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. (Thu, 26 Feb 2009 09:41:29 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Rik Theys <Rik.Theys@esat.kuleuven.be>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libldap-2.4-2: Only the first certificate in TLS_CACERT is used to verify the server certificate
Date: Thu, 26 Feb 2009 10:29:13 +0100
Package: libldap-2.4-2
Version: 2.4.11-1
Severity: normal

Openldap in Lenny is linked against GNUtls instead of openssl. GNUtls doesn't support the
TLS_CACERTDIR configuration option, so we have to use TLS_CACERT to specify a file with
trusted CA certificates.

According to the ldap.conf (5) man page, the TLS_CACERT file can contain all CA certificates
that should be trusted.

I've concatenated two CA certificates into one file and specified this file in ldap.conf.

I have two servers with certificates signed by different CA's. Server1 is signed by CA1 and
server2 is signed by CA2.

When I put CA1 at the top of the bundle file, I can connect to server1 but not server2 as the
certificate is not trusted. If I put CA2 at the top, I can connect to server2 but not server1.

When I use openssl s_client with the CA bundle, I can connect to both servers.

Is this the expected behaviour? Doesn't GNUtls support more than one certificate in the TLS_CACERT
file? If so, this is a serious PITA as it makes migration from ca1 to ca2 much harder.

Regards,

Rik


-- System Information:
Debian Release: 5.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libldap-2.4-2 depends on:
ii  libc6                    2.7-18          GNU C Library: Shared libraries
ii  libgnutls26              2.4.2-4         the GNU TLS library - runtime libr
ii  libsasl2-2               2.1.22.dfsg1-23 Cyrus SASL - authentication abstra

libldap-2.4-2 recommends no packages.

libldap-2.4-2 suggests no packages.

-- no debconf information

Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm





Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#517188; Package libldap-2.4-2. (Tue, 13 Oct 2009 11:48:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Tammo Schuelke <tas@redlink.de>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. (Tue, 13 Oct 2009 11:48:03 GMT) Full text and rfc822 format available.

Message #10 received at 517188@bugs.debian.org (full text, mbox):

From: Tammo Schuelke <tas@redlink.de>
To: 517188@bugs.debian.org
Subject: RE: libldap-2.4-2: Only the first certificate in TLS_CACERT is used to verify the server certificate
Date: Tue, 13 Oct 2009 13:32:26 +0200
[Message part 1 (text/plain, inline)]
This still seems to be an issue, I'm currently running into the same problem. 

  

Any advice (apart from recompiling against openssl)? 

  

Regards, 

Tammo 

  

[Message part 2 (text/html, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#517188; Package libldap-2.4-2. (Tue, 13 Oct 2009 12:15:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Tammo Schuelke <tas@redlink.de>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. (Tue, 13 Oct 2009 12:15:03 GMT) Full text and rfc822 format available.

Message #15 received at 517188@bugs.debian.org (full text, mbox):

From: Tammo Schuelke <tas@redlink.de>
To: 517188@bugs.debian.org
Subject: RE: libldap-2.4-2: Only the first certificate in TLS_CACERT is used to verify the server certificate
Date: Tue, 13 Oct 2009 14:02:37 +0200
[Message part 1 (text/plain, inline)]
I just noticed that I can remove the CA related directives and copy alle required intermediate certificates and the root certificate directly into the key file to build the trust chain. Problem solved. 

  

Regards, 

Tammo 

  

[Message part 2 (text/html, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#517188; Package libldap-2.4-2. (Tue, 27 Apr 2010 10:51:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Peter Marschall <peter@adpm.de>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. (Tue, 27 Apr 2010 10:51:04 GMT) Full text and rfc822 format available.

Message #20 received at 517188@bugs.debian.org (full text, mbox):

From: Peter Marschall <peter@adpm.de>
To: Debian Bug Tracking System <517188@bugs.debian.org>
Subject: Re: Only the first certificate in TLS_CACERT is used to verify the server certificate
Date: Tue, 27 Apr 2010 12:24:17 +0200
Package: libldap-2.4-2
Severity: normal

Hi,

with openLDAP 2.4.21 from unstable I cannot reproduce this bug.

My /etc/ldap/ldap.conf contains the line
	TLS_CACERT      /etc/ssl/certs/ca-certificates.crt
and my private CA certificate used to create the server & client certificates
for OpenLDAP (and other local services) is not listed first in
 /etc/ssl/certs/ca-certificates.crt

Best regards
Peter

-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libldap-2.4-2 depends on:
ii  libc6                     2.10.2-6       Embedded GNU C Library: Shared lib
ii  libgnutls26               2.8.6-1        the GNU TLS library - runtime libr
ii  libsasl2-2                2.1.23.dfsg1-5 Cyrus SASL - authentication abstra

libldap-2.4-2 recommends no packages.

libldap-2.4-2 suggests no packages.

-- no debconf information




Reply sent to Matthijs Möhlmann <matthijs@cacholong.nl>:
You have taken responsibility. (Tue, 27 Apr 2010 17:42:07 GMT) Full text and rfc822 format available.

Notification sent to Rik Theys <Rik.Theys@esat.kuleuven.be>:
Bug acknowledged by developer. (Tue, 27 Apr 2010 17:42:07 GMT) Full text and rfc822 format available.

Message #25 received at 517188-done@bugs.debian.org (full text, mbox):

From: Matthijs Möhlmann <matthijs@cacholong.nl>
To: 517188-done@bugs.debian.org
Subject: Re: libldap-2.4-2: Only the first certificate in TLS_CACERT is used to verify the server certificate
Date: Tue, 27 Apr 2010 19:37:55 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

Thanks to Peter Marschall for testing. Bug doesn't appear anymore in
2.4.21 release in Debian.

Regards,

Matthijs Mohlmann
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkvXIPMACgkQ2n1ROIkXqbCfYACgio+ZP9LvVuW8PXIjlCQ2Q9ck
AWgAn0L/sepEYA2tfrXvmHfuLtxoYUI+
=HTLD
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 26 May 2010 07:38:19 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 20:23:43 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.