LDAP over SSL does not work with Ubuntu Prolonged Pain

Thorsten Glaser t.glaser at tarent.de
Mon May 14 14:31:03 CEST 2012 

On Mon, 14 May 2012, Бранко Мајић wrote:

> If I were you, I'd try to download the source of the Ubuntu package and
> check the patches, possibly rebuilding the relevant packages by hand

Yeah, I was trying to avoid having to dig in the sources myself,
as I’ve got quite a lot on my hands already. It’s even for a
coworker, as I disagree with them using *buntu anyway.

> without those patches. You may find this guide helpful:
> 
> http://www.cyberciti.biz/faq/rebuilding-ubuntu-debian-linux-binary-package/

Maybe, if I were not a Debian Developer already ;-)

> What happens if you tell gnutls-cli to ignore check of certificates?
> Does it fail in the same way (i.e. just curious if the actual
> establishing of connections works ok)?

Ah, _there_’s the output I was looking for. Yes, it works,
but it does too when I disable CA checking in OpenLDAP.
Which is not quite the point though.

# gnutls-cli --insecure -p 636 dc.lan.tarent.de                                        
Resolving 'dc.lan.tarent.de'...
Connecting to '172.26.100.1:636'...
- Certificate type: X.509
 - Got a certificate list of 2 certificates.
 - Certificate[0] info:
  - subject =DE,ST=NRW,L=Bonn,O=tarent GmbH,OU=IT,CN=dc.lan.tarent.de,EMAIL=admins at tarent.de', issuer =DE,ST=NRW,L=Bonn,O=tarent GmbH,OU=IT,CN=Univention Corporate Server Root CA,EMAIL=admins at tarent.de', RSA key 1024 bits, signed using RSA-SHA1, activated É1-02-07 10:24:29 UTC', expires É6-02-06 10:24:29 UTC', SHA-1 fingerprint 11f5038e915c4cdf36743bc39b62ff60be8fdbf'
 - Certificate[1] info:
  - subject =DE,ST=NRW,L=Bonn,O=tarent GmbH,OU=IT,CN=Univention Corporate Server Root CA,EMAIL=admins at tarent.de', issuer =DE,ST=NRW,L=Bonn,O=tarent GmbH,OU=IT,CN=Univention Corporate Server Root CA,EMAIL=admins at tarent.de', RSA key 2048 bits, signed using RSA-SHA1, activated É1-02-07 10:24:29 UTC', expires É3-02-06 10:24:29 UTC', SHA-1 fingerprint a9e3f7bcea0df189a7f599599bc253517a57fc'
- The hostname in the certificate matches 'dc.lan.tarent.de'.
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Version: TLS1.0
- Key Exchange: RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
- Handshake was completed

- Simple Client Mode:

^C


Хвала
//mirabilos
-- 
tarent solutions GmbH
Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/
Tel: +49 228 54881-393 • Fax: +49 228 54881-314
HRB AG Bonn 5168 • USt-ID (VAT): DE122264941
Geschäftsführer: Boris Esser, Elmar Geese

More information about the Gnutls-help mailing list