Re: [SECURITY] [DSA 1719-1] New gnutls13 packages fix certificate validation

To: debian-security@lists.debian.org
Cc: Ingenieurs systeme <cti.ingesys@list.ecp.fr>
Subject: Re: [SECURITY] [DSA 1719-1] New gnutls13 packages fix certificate validation
From: Nicolas Boullis <nicolas.boullis@ecp.fr>
Date: Fri, 13 Feb 2009 16:15:00 +0100
Message-id: <[🔎] 49958E74.3090707@ecp.fr>
Reply-to: Ingenieurs systeme <cti.ingesys@list.ecp.fr>
In-reply-to: <87fximdbek.fsf@mid.deneb.enyo.de>
References: <87fximdbek.fsf@mid.deneb.enyo.de>

Hi,

Florian Weimer wrote:
> 
> In addition, this update tightens the checks for X.509v1 certificates
> which causes GNUTLS to reject certain certificate chains it accepted
> before.  (In certificate chain processing, GNUTLS does not recognize
> X.509v1 certificates as valid unless explicitly requested by the
> application.)

What the hell?
After upgrading libgnutls13, our server could not anymore connect to our
LDAP server, apparently because it does not like its certificate chain
anymore...

Our servers use commercial certificates, with "GTE CyberTrust Global
Root" as the root certificate. It apparently is a v1 x509 certificate...

What is the solution for me? Should I rebuild all the applications and
libraries that use libgnutls, so that they request to accept x509v1
certificates? How?

-- 
Nicolas Boullis

Reply to:

Follow-Ups:
- Re: [SECURITY] [DSA 1719-1] New gnutls13 packages fix certificate validation
  - From: Florian Weimer <fw@deneb.enyo.de>

Prev by Date: Re: Exploit in Upgrade Chain?
Next by Date: does lame exist in debian repos?
Previous by thread: Re: root access on bootup when core-files not found?
Next by thread: Re: [SECURITY] [DSA 1719-1] New gnutls13 packages fix certificate validation
Index(es):
- Date
- Thread