[Pkg-openldap-devel] Bug#473796: TLS fails completely

Steve Langasek vorlon at debian.org
Thu Apr 3 08:36:44 UTC 2008 

On Wed, Apr 02, 2008 at 02:34:12AM +0200, debian at x.ray.net wrote:
> now with the slapd 2.4.7 package (with gnutls) this seems to force
> client-certs, too. a TLS query without client-cert won't work - but
> commenting the 'security' line out results in working TLS and working
> non-TLS queries.

The default behavior when TLS is enabled is "TLSVerifyClient never"; 2.4.7
did have a bug related to this, but this was resolved in the 2.4.7-5
package.

> it seems like openssl and gnutls or slapd 2.3 and slapd 2.4 simply
> behave differently for 'security tls=128'.

That's possible, I never tested with 'security tls=<n>'.

> user at host:~$ ldapsearch -ZZ -x -h localhost -b dc=foo-bar,dc=baz
> "(objectClass=*)" -d 1
[...]
> res_errno: 13, res_error: <stronger TLS confidentiality required>,
[...]

Well, that's clear enough, anyway.

Does server debugging indicate what it thinks the current TLS strength is?
You specified -ZZ, so *some* TLS is in use - the question is why the server
thinks it isn't strong enough?

> > TLS negotiation is protocol-specific; connecting on the LDAP port with
> > gnutls-cli is not a meaningful test of TLS support.

> oic!? i thought TLS works like a wrapper and has a common handshake for
> any protocol it subsequently transports... i would have found that
> elegant (and handy, e.g. for debugging with gnutls-cli ;) - toobad.

That accurately describes SSL, but not TLS.  You could try connecting with
ldaps:// (after configuring the server for the additional port) instead of
ldap:// + TLS, then that part should work with gnutls-cli.

> > I haven't tested the -6.1 NMU specifically, but "worksforme" on the previous
> > builds of 2.4.7, and indeed I tested TLS support quite extensively while
> > getting 2.4.7 into shape for Debian.

> did you by chance test the server-cert-but-no-client-certs scenario?

Yes; the variable here is the specification of "security tls=128", I think.
server debug logs may help here, I'm not familiar with that part of the TLS
code and will have to dig a bit.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek at ubuntu.com                                     vorlon at debian.org

More information about the Pkg-openldap-devel mailing list