Bug#509593: libgnutls26: ldap-utils fails with 'TLS: peer cert untrusted or revoked (0x82)' with latest gnutls26

[Andreas Metzler]

On 2009-01-29 Steve Langasek <steve.langasek at canonical.com> wrote:
> Hi Andreas,

> > is this the issue that is also being discussed in
> > http://news.gmane.org/find-root.php?message_id=%3c49654581.3020505%40anl.gov%3e
> > or is it the original submitter a different one than Douglas E.
> > Engert?

> That looks to be the same issue, though Douglas is not who submitted the bug
> to Ubuntu (and I don't see any record of his bug ever having made it to
> Ubuntu).  Thanks for the pointer to this!  Do you think you'll be applying
> this patch to the Debian package soon?  Looks release-critical to me, given
> that it breaks validation of valid (and well-known) CAs.

Hello,

I am not sure this is serious. Douglas' bug applies to X509 v1 CA certs, 
which afaiui are rare.
http://news.gmane.org/find-root.php?message_id=%3c20090110155632.10ba0626%40nmav%2deee%3e

Gnutls is documented to not trust this type of certificates unless a
special flag is set, afaict the bug is about the fact that gnutls
distrusted them even if the flag was set. Even fixing this did not help
Douglas, since it would have required changing nss-ldap to pass the
flag.

Douglas later posted a feature enhancement patch that makes GnuTLS
stop when an intermediate CA cert is found on the trusted CA
list.
http://news.gmane.org/find-root.php?message_id=%3c496BA38D.90104%40anl.gov%3e

The patch has not yet been reviewed positively - I think upstream first
needs to see the copyright assignment done.

cu and- Just found that you posted essentially the same summary to
https://bugs.launchpad.net/ubuntu/+source/gnutls12/+bug/305264  -reas

-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'