LDAP over SSL does not work with Ubuntu Prolonged Pain

Thorsten Glaser t.glaser at tarent.de
Tue May 22 11:23:07 CEST 2012 

On Thu, 10 May 2012, Nikos Mavrogiannopoulos wrote:

> So if I understand your issue is that gnutls 3.0.11 doesn't work
> for you in  ubuntu but gnutls 3.0.19 works for you in a debian

Actually, that’s not 3.0.11 but 2.12.14-5ubuntu3 in Ubuntu precise.
I’ve tracked it down a bit: 2.10.5-1ubuntu3 in Ubuntu oneiric also
fails; 2.8.6-1ubuntu2.1 in Ubuntu natty (and 2.8.5-2ubuntu0.1 in
Ubuntu lucid) pass.

But with those that do not fail, gnutls-cli still outputs a certificate
validation error which openssl s_client doesn’t (it says the connection
is fine):

root at natty:~ # gnutls-cli -V --x509cafile /etc/ssl/certs/ca-certificates.crt -p 636 dc.lan.tarent.de
Processed 407 CA certificate(s).
Resolving 'dc.lan.tarent.de'...
Connecting to '172.26.100.1:636'...
- Certificate type: X.509
 - Got a certificate list of 2 certificates.
 - Certificate[0] info:
  - X.509 Certificate Information:
	Version: 3
	Serial Number (hex): 01
	Issuer: C=DE,ST=NRW,L=Bonn,O=tarent GmbH,OU=IT,CN=Univention Corporate Server Root CA,EMAIL=admins at tarent.de
	Validity:
		Not Before: Mon Feb 07 10:24:29 UTC 2011
		Not After: Sat Feb 06 10:24:29 UTC 2016
	Subject: C=DE,ST=NRW,L=Bonn,O=tarent GmbH,OU=IT,CN=dc.lan.tarent.de,EMAIL=admins at tarent.de
	Subject Public Key Algorithm: RSA
		Modulus (bits 1024):
			b7:9c:d6:48:f1:e9:e6:c7:0d:68:cd:67:8e:c3:14:29
			3d:d6:83:11:d0:95:3b:75:62:9d:0d:c2:67:5f:83:69
			20:29:57:7d:89:9f:4f:99:54:d6:72:1d:11:59:1a:1b
			db:ea:00:48:2f:d6:d5:c6:56:1e:fc:cb:91:c4:36:f8
			cc:a2:a9:dd:34:ad:2f:66:eb:89:fa:1b:a8:57:9a:0b
			75:f1:da:0c:a7:d0:f4:73:3d:cf:24:1e:75:95:6f:bb
			7f:c1:65:12:36:64:eb:ac:b7:14:2b:6d:99:3f:05:b6
			36:cc:41:99:fa:fb:52:89:46:94:83:2d:ac:34:13:ef
		Exponent (bits 24):
			01:00:01
	Extensions:
		Basic Constraints (not critical):
			Certificate Authority (CA): FALSE
		Subject Key Identifier (not critical):
			85f8172fa622f26215c5da9092a64ba77e007fa6
		Authority Key Identifier (not critical):
			619b65ad7b77255a9ba408325077492ad6dd1d76
	Signature Algorithm: RSA-SHA
	Signature:
		23:36:68:08:39:7c:20:6e:71:37:97:44:bc:bb:b6:af
		30:6f:7d:e7:90:fb:3d:02:2d:88:c9:44:a4:76:4e:65
		21:aa:cd:6a:92:80:a5:86:4a:9d:7e:dc:5a:ba:4d:88
		67:a3:1b:a9:4b:c9:85:f0:4b:da:28:41:0b:3d:e1:29
		cb:b7:7e:7c:de:c2:fe:55:3c:52:4f:75:e3:e2:c4:22
		71:b9:19:5b:e2:3f:41:7f:98:de:c0:02:be:18:9b:0c
		46:b0:5c:76:4f:0b:33:10:c4:d8:24:2e:f0:6c:68:ce
		ee:02:8e:c7:87:3a:0f:55:09:4c:df:6a:e0:de:65:d7
		ec:db:2e:9e:fd:f5:87:0f:d6:8c:a1:c8:d0:c5:bc:61
		f0:48:3d:fd:e8:e3:41:86:9c:37:27:41:11:61:cd:84
		18:de:ef:9b:60:ac:f4:ab:3c:b5:61:f4:31:8e:fa:85
		06:7a:c9:24:50:b5:9b:dc:1f:66:cf:5d:7c:08:e4:0d
		be:53:0d:54:ca:47:5c:b5:b0:46:94:83:64:ab:37:8e
		8e:55:81:32:80:da:a5:49:32:5d:72:0c:5c:15:64:ab
		4b:55:b7:ca:bb:41:a1:db:8f:f3:1a:b2:59:e3:da:b0
		ed:d3:4c:75:a4:34:8c:1f:2a:73:e6:d0:72:40:16:55
Other Information:
	MD5 fingerprint:
		4b8a61b6a2db43ba96516ab90e50f23b
	SHA-1 fingerprint:
		c11f5038e915c4cdf36743bc39b62ff60be8fdbf
	Public Key Id:
		85f8172fa622f26215c5da9092a64ba77e007fa6

 - Certificate[1] info:
  - X.509 Certificate Information:
	Version: 3
	Serial Number (hex): 009d7b9eab1ec7a249
	Issuer: C=DE,ST=NRW,L=Bonn,O=tarent GmbH,OU=IT,CN=Univention Corporate Server Root CA,EMAIL=admins at tarent.de
	Validity:
		Not Before: Mon Feb 07 10:24:29 UTC 2011
		Not After: Wed Feb 06 10:24:29 UTC 2013
	Subject: C=DE,ST=NRW,L=Bonn,O=tarent GmbH,OU=IT,CN=Univention Corporate Server Root CA,EMAIL=admins at tarent.de
	Subject Public Key Algorithm: RSA
		Modulus (bits 2048):
			b1:86:75:49:51:8c:0d:19:f4:f5:1d:9e:63:c1:0b:01
			04:df:ba:dc:05:bc:49:4e:6c:21:de:7b:2c:a5:dd:bf
			89:bd:2f:8e:a6:e1:6a:61:aa:4c:e0:1e:c4:48:5e:04
			45:33:b9:d8:1f:99:ab:46:72:f4:42:f7:5a:4a:0d:ec
			a6:78:2d:1c:64:63:97:8a:16:90:80:36:9e:30:ac:a0
			c1:91:56:e4:6e:ea:38:9d:dd:de:30:a7:e5:6f:40:71
			91:90:38:6d:4e:c8:1a:f7:ed:59:6a:b8:96:bf:54:3b
			0e:6f:98:61:94:ab:1b:58:4d:db:78:a8:19:38:ea:4e
			b6:1c:0b:6d:b3:76:1a:4e:80:c7:68:9b:0b:e3:81:5a
			14:5d:ea:61:b5:a1:9d:b1:ec:d8:b7:37:f7:a4:01:d3
			13:b7:88:3f:08:9a:43:de:2d:30:f3:ad:60:d3:09:36
			b7:08:7e:d6:cf:04:9b:bd:45:ac:55:8f:0b:bc:49:ca
			3f:e7:c8:2a:42:3a:05:d5:dd:07:77:10:c2:07:ca:a2
			2a:2e:84:a9:6b:b3:b0:f8:79:25:8e:bc:b5:c1:d7:c2
			1c:d7:0a:41:b0:55:4f:d0:44:50:d2:15:75:5b:21:dd
			a5:24:82:a9:99:63:8b:8d:d5:7d:71:19:31:62:e4:f7
		Exponent (bits 24):
			01:00:01
	Extensions:
		Basic Constraints (critical):
			Certificate Authority (CA): TRUE
		Subject Key Identifier (not critical):
			619b65ad7b77255a9ba408325077492ad6dd1d76
		Authority Key Identifier (not critical):
			619b65ad7b77255a9ba408325077492ad6dd1d76
		Key Usage (not critical):
			Certificate signing.
			CRL signing.
		Unknown extension 2.16.840.1.113730.1.1 (not critical):
			ASCII: ....
			Hexdump: 03020007
		Subject Alternative Name (not critical):
			RFC822name: admins at tarent.de
		Unknown extension 2.5.29.18 (not critical):
			ASCII: 0...admins at tarent.de
			Hexdump: 3012811061646d696e7340746172656e742e6465
		Unknown extension 2.16.840.1.113730.1.13 (not critical):
			ASCII: .)This certificate is a Root CA Certificate
			Hexdump: 162954686973206365727469666963617465206973206120526f6f74204341204365727469666963617465
	Signature Algorithm: RSA-SHA
	Signature:
		5b:a1:a8:ec:95:0a:95:40:ed:da:55:79:bb:75:9e:0d
		1c:73:dd:dc:e7:79:17:00:57:d7:08:a7:1b:7b:45:f3
		e3:7d:41:80:e1:49:4b:34:a1:cc:91:e1:e3:db:20:d9
		1f:01:8a:bc:74:10:40:6a:2a:c4:9c:05:d6:1a:27:c0
		da:83:81:0e:34:f7:f4:04:c5:68:38:c1:67:74:44:ab
		28:ee:a7:54:32:d7:1c:95:eb:90:a6:b9:46:d1:96:05
		99:8b:f0:d2:a3:05:43:82:3c:a1:e3:9d:52:b5:94:65
		df:df:9d:88:b5:d7:7b:1e:71:28:1e:a1:b2:80:2b:80
		57:59:57:e9:3f:10:78:01:45:54:cf:11:3c:6d:3e:ab
		50:59:3b:11:82:9a:a8:ad:ca:5a:8f:4a:e2:0c:40:da
		84:9f:bc:14:41:31:f7:ec:13:4d:48:b5:1e:96:65:3b
		1d:58:49:70:cf:04:f8:57:d3:7e:a3:3a:45:4f:05:78
		12:20:a5:b8:3a:5e:d8:17:b1:4c:37:fc:16:4e:d0:3e
		b8:ef:18:7d:ed:b2:17:c5:a6:d8:c1:34:84:34:b1:bf
		a9:67:f9:fc:82:20:96:6f:39:86:3b:bd:bd:98:52:a1
		e8:3d:6f:cb:1d:ff:f0:36:a6:c2:bf:72:3c:9b:65:21
Other Information:
	MD5 fingerprint:
		bbece4964408c9d6c8ce8079f4c4363c
	SHA-1 fingerprint:
		6da9e3f7bcea0df189a7f599599bc253517a57fc
	Public Key Id:
		619b65ad7b77255a9ba408325077492ad6dd1d76

- The hostname in the certificate matches 'dc.lan.tarent.de'.
- Peer's certificate is NOT trusted
- Version: TLS1.0
- Key Exchange: RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
- Session ID: 3D:82:5B:4B:E3:DD:6C:A2:69:77:8C:B9:C6:A7:5A:4E:8F:F4:E9:5E:72:73:1C:BC:18:A3:4F:32:83:3A:03:30
*** Verifying server certificate failed...

Any idea about that?

Thanks,
//mirabilos
-- 
tarent solutions GmbH
Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/
Tel: +49 228 54881-393 • Fax: +49 228 54881-314
HRB AG Bonn 5168 • USt-ID (VAT): DE122264941
Geschäftsführer: Boris Esser, Elmar Geese

More information about the Gnutls-help mailing list