Comment 30 for bug 305264

Steve Langasek (vorlon) wrote :

The Debian gnutls maintainer points to
<http://news.gmane.org/find-root.php?message_id=%3c49654581.3020505%40anl.gov%3e>, which shows how this is a gnutls bug rather than an openldap one. Reopening the gnutls tasks and closing the openldap tasks.

The upstream commit is given here.
http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=423fc8b82f2b9aa3ea820cd5cf75d5813dffbbf0

Note, however, that this commit only fixes the problem when passing certain non-default options to gnutls, which are not passed by openldap, to enable use of V1 SSL certificates. Ultimately, these certificate chains worked with OpenLDAP+GnuTLS by accident, not design, as a result of the bug fixed in this security update.

Upstream is opposed to changing the default flags to enable V1 certificates because V1 certs are vulnerable to various sorts of attack and GnuTLS is documented to not support these by default. I think it's inappropriate to change the default flags in OpenLDAP for the same reason. If it's determined that enabling V1 certs is the lesser evil, I think it makes more sense to enable them globally than to enable them just in OpenLDAP, since this potentially affects all consumers of libgnutls.

As for whether enabling them is the lesser evil, note that the attacks V1 certs are subject to are not a strict subset of the attacks GnuTLS was subject to prior to this security update, so there's no easy choice here.