Bug#1070033: libgnutls30: rejects numeric IPv6 addresses during connection
Andreas Metzler
ametzler at bebt.de
Wed May 1 12:45:00 BST 2024
On 2024-04-30 Elliott Mitchell <ehem+debian at m5p.com> wrote:
> On Tue, Apr 30, 2024 at 05:55:15AM +0200, Andreas Metzler wrote:
> > On 2024-04-29 Elliott Mitchell <ehem+debian at m5p.com> wrote:
[...]
> > > From `nslcd` on clients I was getting the message:
> > > nslcd[12345]: [1a2b3c] <group/member="root"> failed to bind to LDAP server ldaps://[fd12:3456:7890:abcd::3]/: Can't contact LDAP server: The TLS connection was non-properly terminated.: Resource temporarily unavailable
[...]
> > > Once I finally figured out `slapd`'s debug mode ('-h ldaps:/// ldapi:///'
> > > is two arguments, the ldaps and ldapi are a single argument). I got
> > > traces from `slapd`: (serial numbers filed off)
> >
> > > tls_read: want=5, got=5
> > > 0000: 16 03 01 01 8f
> >
> > > tls_read: want=399, got=399
> > > 0160: ............fd12
> > > 0170: :3456:7890:abcd:
> > > 0180: :3.-......... at .
> > > TLS: can't accept: A disallowed SNI server name has been received..
> > > connection_read(13): TLS accept failure error=-1 id=1005, closing
[...]
> > I guess you used the IPv6 address as either CN or Subject Alternative
> > Name. Both take names, not IP addresses. There is a different field for
> > IP addresses.
> >
> > gnutls-cli --port 636 fd12:3456:7890:abcd::3
> >
> > will probably give more info.
> >
> > FWIW I have just generated a local test certificate with "IPAddress:"
> > set to '::1' and things work for me as expected.
> Hmm, `gnutls-cli --port ldaps` gave a different result. The connection
> successfully established and I was left being able to type to `slapd`.
[...]
> Anything further is purely guesswork.
Hello,
well you could post the complete output of
gnutls-cli --port 636 fd12:3456:7890:abcd::3
perhaps even with -d10? I would reassign to openldap then if there are
no obvious clues.
cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
More information about the Pkg-gnutls-maint
mailing list