gnutls fails to use Verisign CA cert without a Basic Constraint

Bug #314915 reported by Doug Engert on 2009-01-08
2
Affects Status Importance Assigned to Milestone
gnutls13 (Ubuntu)
Undecided
Unassigned

Bug Description

Using the Ubuntu version of libgnutls13_2.0.4-1ubuntu2.3 on Hardy 8.04.1
ldaps: has stopped working. This looks like it is related to
the December changes that are also in gnutls-2.6.3.

ldapsearch -d 1 -H ldaps://...

TLS: peer cert untrusted or revoked (0x82)
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

The OpenLDAP ldap server certificate issued by Verisign is signed by:

Verisign_Intermediate-Secure_Site_Managed_PKI_for_SSL_Standard_Certificates.pem

which is signed by:
Verisign_Class_3_Public_Primary_Certification_Authority.pem

Both of these are in /etc/ssl/certs as 7651b327.0 and f0a38a80.0

Verisign_Class_3_Public_Primary_Certification_Authority.pem
is a self signed version 1 cert issued in 1996, with no extensions.

In lib/x509/verify.c gnutls_x509_crt_get_ca_status is called
but returns GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE as there is no
Basic Constraint.

The attached patch (to gnutls13_2.0.4-1ubuntu2.3) checks for
this return and if it is a self signed cert, will treat it as a CA.
The patch looks like it can be applied to 2.6.3 as well.

Clients on Solaris 9 and 10, and OpenLDAP using OpenSSL on any
platform have no problems with this old cert.

Doug Engert (deengert) wrote :
Jamie Strandboge (jdstrand) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. This particular bug has already been reported and appears to be a duplicate of bug 305264, so it is being marked as such. Please look at the other bug report to see if there is any missing information that you can provide, or to see if there is a workaround for the bug. Additionally, any further discussion regarding the bug should occur in the other report. Feel free to continue to report any other bugs you may find.

Changed in gnutls13:
status: New → Invalid
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers