rsyslog-gnutls can't validate V1 CA certificates

Bug #514079 reported by H.-Dirk Schmitt on 2010-01-28
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Rsyslog
Won't Fix
Medium
rsyslog (Ubuntu)
Undecided
Unassigned

Bug Description

Binary package hint: rsyslog

In my organisation the CA is based on a V1 CA certificate.
This triggers the following error:
 pluto rsyslogd: not permitted to talk to peer, certificate invalid: signer is
not a CA

I can reproduce the problem with gnutls-cli:
   gnutls-cli -V --x509cafile /etc/ssl/certs/proarc-srv.crt -p 42514
pluto.computer42.org
   --> - Peer's certificate issuer is not a CA

If I add '--priority NORMAL:%VERIFY_ALLOW_X509_V1_CA_CRT' to the command above,
the certificate validation is successful.

See also http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=563127#15 and
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/305264 for similar
problems with gnutls.

In my organisation the CA is based on a V1 CA certificate.
This triggers the following error:
 pluto rsyslogd: not permitted to talk to peer, certificate invalid: signer is not a CA

I can reproduce the problem with gnutls-cli:
   gnutls-cli -V --x509cafile /etc/ssl/certs/proarc-srv.crt -p 42514
pluto.computer42.org
   --> - Peer's certificate issuer is not a CA

If I add '--priority NORMAL:%VERIFY_ALLOW_X509_V1_CA_CRT' to the command above, the certificate validation is successful.

See also http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=563127#15 and
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/305264 for similar problems with gnutls.

Environment is ubuntu karmic / amd64.
rsyslog-gnutls 4.2.0-2ubuntu5.1

rsyslog 4.2.0-2ubuntu5.1
rsyslog-gnutls 4.2.0-2ubuntu5.1
libgnutls26 2.8.3-2

Changed in rsyslog:
status: Unknown → Confirmed
Changed in rsyslog:
status: Confirmed → In Progress
Changed in rsyslog:
importance: Unknown → Medium
Changed in rsyslog:
status: In Progress → Confirmed

closing this bug as the same issue never surfaced from someone else and this is too much work for a single instant.

Changed in rsyslog:
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.