=== added file 'debian/patches/gnutls-enable-v1-ca-certs'
--- debian/patches/gnutls-enable-v1-ca-certs    1970-01-01 00:00:00 +0000
+++ debian/patches/gnutls-enable-v1-ca-certs    2009-03-06 21:13:38 +0000
@@ -0,0 +1,31 @@
+## Mathias Gug <mathiaz@ubuntu.com>
+## Enable V1 CA certs to be trusted.
+## ITS: 5992 - http://www.openldap.org/its/index.cgi?findid=5992
+## LP: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/305264
+## Fixed in > 2.4.15
+## Patch: http://bazaar.launchpad.net/%7Evcs-imports/openldap/main-src/diff/17238
+
+--- openldap.orig/libraries/libldap/tls_g.c    2009-03-02 02:01:41 +0000
++++ openldap/libraries/libldap/tls_g.c 2009-03-05 03:35:49 +0000
+@@ -1,5 +1,5 @@
+ /* tls_g.c - Handle tls/ssl using GNUTLS. */
+-/* $OpenLDAP: pkg/ldap/libraries/libldap/tls_g.c,v 1.6.2.2 2009/02/10 16:41:01 quanah Exp $ */
++/* $OpenLDAP: pkg/ldap/libraries/libldap/tls_g.c,v 1.9 2009/03/05 03:35:49 hyc Exp $ */
+ /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
+  *
+  * Copyright 2008-2009 The OpenLDAP Foundation.
+@@ -349,6 +349,13 @@
+               if ( rc < 0 ) return -1;
+               rc = 0;
+       }
++
++      /* FIXME: ITS#5992 - this should go be configurable,
++       * and V1 CA certs should be phased out ASAP.
++       */
++      gnutls_certificate_set_verify_flags( ctx->cred,
++              GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT );
++
+       if ( is_server ) {
+               gnutls_dh_params_init(&ctx->dh_params);
+               gnutls_dh_params_generate2(ctx->dh_params, DH_BITS);
+

=== modified file 'debian/patches/series'
--- debian/patches/series       2009-03-04 17:53:41 +0000
+++ debian/patches/series       2009-03-06 21:03:29 +0000
@@ -10,3 +10,4 @@
 libldap-symbol-versions
  getaddrinfo-is-threadsafe
   back-perl-init
   +gnutls-enable-v1-ca-certs