[Pkg-openldap-devel] Bug#751002: libldap-2.4: No check of root certificate validity date
Paul van der Vlis
paul at vandervlis.nl
Wed Jun 11 09:22:33 UTC 2014
Hi Randy,
op 11-06-14 03:34, Ryan Tandy schreef:
> Hi Paul,
>
> On 09/06/14 04:29 AM, Paul van der Vlis wrote:
>> While upgrading from Debian 6 to Debian 7 LDAPS did not work anymore
>> on the
>> client. I found out the root-certificate was outdated for a long time
>> and the
>> validity date of a root certificate is not checked on a Debian 6
>> client. But it
>> is checked on a Debian 7 client, and this can give unexpected problems
>> while
>> upgrading. And it is a risk for Debian 6 installations.
>
> This is a behaviour change between squeeze and wheezy, yes, but in
> libgnutls, not libldap; you can confirm it using gnutls-cli.
>
> Are you suggesting the behaviour of gnutls in squeeze should be made
> more strict like in wheezy? If so we should reassign this to gnutls.
I think it's a bug in Squeeze not to check the root certificate. But
fixing the bug will give problems in existing installations and Squeeze
does not have normal security-support anymore.
We could reassign it to gnutls, or tell the people from squeeze-lts
about it. Maybe it's important for other packages or other situations.
>> The error while upgrading is:
>> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
>
> Without any context that is a bit vague, but it sounds like a result I
> would expect in case of an expired certificate. Increasing libldap's
> debug level, or testing with "ldapsearch -d 1", will show you more
> details about the underlying cause of the failure.
>
> If you need to disable the certificate verification to get your upgrade
> finished, you can use the TLS_REQCERT ldap.conf(5) option, but that's a
> rather big hammer as it disables several kinds of validation at once.
>
> As the expiry check has already been fixed in wheezy and later, can you
> be more explicit about the changes you think should be done in order to
> resolve this report?
My goal was to give some publicity for people who are searching for this
problem during upgrading, like I did. And to tell about this bug in
Squeeze.
For me it's no problem to close the bug.
Thanks for your information!
With regards,
Paul van der Vlis.
--
Paul van der Vlis Linux systeembeheer, Groningen
http://www.vandervlis.nl
More information about the Pkg-openldap-devel
mailing list