Bug#1070033: libgnutls30: rejects numeric IPv6 addresses during connection
Elliott Mitchell
ehem+debian at m5p.com
Fri May 17 17:54:21 BST 2024
On Thu, May 16, 2024 at 07:06:49PM -0700, Elliott Mitchell wrote:
> On Tue, May 14, 2024 at 06:22:09PM +0200, Andreas Metzler wrote:
> > On 2024-05-14 Elliott Mitchell <ehem+debian at m5p.com> wrote:
> > > On Wed, May 01, 2024 at 01:45:00PM +0200, Andreas Metzler wrote:
> > [...]
> > >> well you could post the complete output of
> > >> gnutls-cli --port 636 fd12:3456:7890:abcd::3
> > >> perhaps even with -d10? I would reassign to openldap then if there are
> > >> no obvious clues.
> >
> > > `gnutls-cli` doesn't yield anything obvious.
> > [...]
>
> > Could you please post the requested output, although there are no
> > obvious clues there to your eyes?
>
> Problem is that provides rather a lot of data about this network setup.
> The quantity of information is enough for me to be rather uncomfortable
> with providing it via public channel.
>
>
> I did get the connection to proceed further than before though. If I add
> the IPv6 address of the LDAP server to /etc/hosts, and then use the
> hostname instead of IPv6 address for the uri line of /etc/nslcd.conf
> things get further (I believe over IPv6, but I haven't satisfactorily
> verified this).
>
> This suggests #1070033 is either in libgnutls30 or slapd. The issue
> could be slapd is passing an IPv6 address to a portion of libgnutls30's
> API which requires a hostname. The issue could be libgnutls30 rejects
> IPv6 addresses in some place(s) where they should be valid by the API.
>
> I notice the `_gnutls_dnsname_is_valid()` function in
> gnutls28-3.8.5/lib/str.h accepts IPv4 addresses (which are NOT valid in
> DNS), but rejects IPv6 addresses.
Then I look deeper and find RFC 6066
(https://www.rfc-editor.org/rfc/rfc6066), page 7:
Literal IPv4 and IPv6 addresses are not permitted in "HostName".
This suggests there are at least 2, possibly 3 or more bugs.
#1 RFC 6066 says neither are legal, yet _gnutls_dnsname_is_valid()
accepts IPv4 addresses (including the 32-bit integer version), but
rejects IPv6 addresses. This sort of inconsistency leads to security
breaches.
#2 The gnutls library uses the SNI extension without checking
whether it was passed a literal addresses.
#3 nslcd always passes the host string provided to its "uri"
configuration setting to the gnutls API without checking whether it is a
literal address.
#1 is definitely a bug present in the libgnutls30 package. At least one
of #2 and #3 is definitely a bug, but both may very well be bugs. Seems
better to check in the library as it could effect multiple programs using
the library.
--
(\___(\___(\______ --=> 8-) EHM <=-- ______/)___/)___/)
\BS ( | ehem+sigmsg at m5p.com PGP 87145445 | ) /
\_CS\ | _____ -O #include <stddisclaimer.h> O- _____ | / _/
8A19\___\_|_/58D2 7E3D DDF4 7BA6 <-PGP-> 41D1 B375 37D0 8714\_|_/___/5445
More information about the Pkg-gnutls-maint
mailing list