Bug#1070033: libgnutls30: rejects numeric IPv6 addresses during connection

Andreas Metzler ametzler at bebt.de
Tue Apr 30 04:55:15 BST 2024 

On 2024-04-29 Elliott Mitchell <ehem+debian at m5p.com> wrote:
> Package: libgnutls30
> Version: 3.7.9-2+deb12u2
> Severity: important

> Long story to finding this one.  Trying to get LDAP setup on this
> network.  As a recent deployment it seemed appropriate to use IPv6.

> From `nslcd` on clients I was getting the message:
> nslcd[12345]: [1a2b3c] <group/member="root"> failed to bind to LDAP server ldaps://[fd12:3456:7890:abcd::3]/: Can't contact LDAP server: The TLS connection was non-properly terminated.: Resource temporarily unavailable

> Running `nslcd` in debug mode failed to yield any additional useful
> information.

> Once I finally figured out `slapd`'s debug mode ('-h ldaps:/// ldapi:///'
> is two arguments, the ldaps and ldapi are a single argument).  I got
> traces from `slapd`: (serial numbers filed off)

> tls_read: want=5, got=5
>   0000:  16 03 01 01 8f

> tls_read: want=399, got=399
>   0160:    ............fd12  
>   0170:    :3456:7890:abcd:  
>   0180:    :3.-......... at .   
> TLS: can't accept: A disallowed SNI server name has been received..
> connection_read(13): TLS accept failure error=-1 id=1005, closing

> Further tracing of the error message appears to point to the function
> `_gnutls_dnsname_is_valid()` in gnutls/lib/str.h.  Seems libgnutls30 is
> incompatible with numeric IPv6 addresses.

> While IPv6-only hosts are presently uncommon, there is now quite a bit of
> IPv6 traffic in many places.  I think this is worthy of having a severity
> of "critical" as "bookworm" may remain as "stable" past when there is
> more IPv6 traffic than IPv4 traffic.  For "trixie" this seems very
> likely.
[...]

Good morning,

I guess you used the IPv6 address as either CN or Subject Alternative
Name. Both take names, not IP addresses. There is a different field for
IP addresses.

gnutls-cli --port 636 fd12:3456:7890:abcd::3 

will probably give more info.

FWIW I have just generated a local test certificate with "IPAddress:"
set to '::1' and things work for me as expected.

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

More information about the Pkg-gnutls-maint mailing list