[Bug 514079] Re: rsyslog-gnutls can't validate V1 CA certificates

Bug Watch Updater 514079 at bugs.launchpad.net
Tue Oct 18 07:52:19 UTC 2011 

Launchpad has imported 3 comments from the remote bug at
http://bugzilla.adiscon.com/show_bug.cgi?id=176.

If you reply to an imported comment from within Launchpad, your comment
will be sent to the remote bug automatically. Read more about
Launchpad's inter-bugtracker facilities at
https://help.launchpad.net/InterBugTracking.

------------------------------------------------------------------------
On 2010-01-28T23:36:36+00:00 H.-Dirk Schmitt wrote:

In my organisation the CA is based on a V1 CA certificate.
This triggers the following error:
 pluto rsyslogd: not permitted to talk to peer, certificate invalid: signer is not a CA

I can reproduce the problem with gnutls-cli:
   gnutls-cli -V --x509cafile /etc/ssl/certs/proarc-srv.crt   -p 42514
pluto.computer42.org 
   --> - Peer's certificate issuer is not a CA


If I add '--priority NORMAL:%VERIFY_ALLOW_X509_V1_CA_CRT' to the command above, the certificate validation is successful.

See also http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=563127#15 and 
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/305264 for similar problems with gnutls.

Reply at: https://bugs.launchpad.net/rsyslog/+bug/514079/comments/0

------------------------------------------------------------------------
On 2010-01-28T23:38:12+00:00 H.-Dirk Schmitt wrote:

Environment is ubuntu karmic / amd64.
rsyslog-gnutls 4.2.0-2ubuntu5.1

Reply at: https://bugs.launchpad.net/rsyslog/+bug/514079/comments/1

------------------------------------------------------------------------
On 2011-10-17T10:41:22+00:00 Rgerhards-j wrote:

closing this bug as the same issue never surfaced from someone else and
this is too much work for a single instant.

Reply at: https://bugs.launchpad.net/rsyslog/+bug/514079/comments/4


** Changed in: rsyslog
       Status: Confirmed => Won't Fix

** Bug watch added: Debian Bug tracker #563127
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=563127

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to rsyslog in Ubuntu.
https://bugs.launchpad.net/bugs/514079

Title:
  rsyslog-gnutls can't validate V1 CA certificates

Status in Rsyslog:
  Won't Fix
Status in “rsyslog” package in Ubuntu:
  New

Bug description:
  Binary package hint: rsyslog

  In my organisation the CA is based on a V1 CA certificate.
  This triggers the following error:
   pluto rsyslogd: not permitted to talk to peer, certificate invalid: signer is
  not a CA

  I can reproduce the problem with gnutls-cli:
     gnutls-cli -V --x509cafile /etc/ssl/certs/proarc-srv.crt   -p 42514
  pluto.computer42.org 
     --> - Peer's certificate issuer is not a CA

  
  If I add '--priority NORMAL:%VERIFY_ALLOW_X509_V1_CA_CRT' to the command above,
  the certificate validation is successful.

  See also http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=563127#15 and 
  https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/305264 for similar
  problems with gnutls.

To manage notifications about this bug go to:
https://bugs.launchpad.net/rsyslog/+bug/514079/+subscriptions

More information about the foundations-bugs mailing list