[Pkg-openldap-devel] Bug#525605: libldap-2.4-2: setting LDAP_OPT_X_TLS_REQUIRE_CERT is not handled correctly
Arthur de Jong
adejong at debian.org
Sat Apr 25 21:14:33 UTC 2009
Subject: libldap-2.4-2: setting LDAP_OPT_X_TLS_REQUIRE_CERT is not handled correctly
Package: libldap-2.4-2
Version: 2.4.15-1.1
Severity: important
I've been busy tracking down a LDAP/TLS related bug in my package
(#521617) and found that the correct certificate checks are not done
correctly if I only set the LDAP_OPT_X_TLS_REQUIRE_CERT option on a
connection:
tls_reqcert=LDAP_OPT_X_TLS_NEVER;
ldap_set_option(NULL,LDAP_OPT_X_TLS_REQUIRE_CERT,&tls_reqcert);
I get at entering ldap_start_tls_s():
TLS: peer cert untrusted or revoked (0x42)
TLS: can't connect: (unknown error code).
If I set the option globally, after opening the connection:
ldap_set_option(NULL,LDAP_OPT_X_TLS_REQUIRE_CERT,&tls_reqcert);
I get:
TLS: hostname (192.168.12.1) does not match common name in certificate (server.host.name.tld).
But if I set both (after opening the connection) it works. Also, if I
set the global one before opening the connection it also works.
(full logs are below)
From browsing through the OpenLDAP source (I was reading through an
unpacked 2.4.11-1 tree with Debian patches applied but I suspect the
current code has the same flaw) and saw that sometimes the
ldo_tls_require_cert values was read as (from libraries/libldap/tls.c):
lo->ldo_tls_require_cert
and sometimes as:
ld->ld_options.ldo_tls_require_cert
I think (but haven't investigated further) that some of the
option-checks that are done should be done on the connection options,
not on the global ones.
I would be willing to investigate this further if you think that's a
good idea (maybe even provide a patch). I could also take it up with
upstream if you think it's not due to Debian patches (I know Debian's
libldap uses GnuTLS instead of the more commonly used OpenSSL but I
don't know to what extent it's patched).
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-2-686 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages libldap-2.4-2 depends on:
ii libc6 2.9-7 GNU C Library: Shared libraries
ii libgnutls26 2.6.5-1 the GNU TLS library - runtime libr
ii libsasl2-2 2.1.22.dfsg1-23 Cyrus SASL - authentication abstra
-- Full log of ldap_start_tls_s() with only connection option set
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP 192.168.12.1:389
ldap_new_socket: 9
ldap_prepare_socket: 9
ldap_connect_to_host: Trying 192.168.12.1:389
ldap_pvt_connect: fd: 9 tm: 30 async: 0
ldap_ndelay_on: 9
ldap_int_poll: fd: 9 tm: 30
ldap_is_sock_ready: 9
ldap_ndelay_off: 9
ldap_pvt_connect: 0
ldap_open_defconn: successful
ldap_send_server_request
ldap_result ld 0x964cb08 msgid 1
wait4msg ld 0x964cb08 msgid 1 (timeout 30000000 usec)
wait4msg continue ld 0x964cb08 msgid 1 all 1
** ld 0x964cb08 Connections:
* host: 192.168.12.1 port: 389 (default)
refcnt: 2 status: Connected
last used: Sat Apr 25 22:51:59 2009
** ld 0x964cb08 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x964cb08 request count 1 (abandoned 0)
** ld 0x964cb08 Response Queue:
Empty
ld 0x964cb08 response count 0
ldap_chkResponseList ld 0x964cb08 msgid 1 all 1
ldap_chkResponseList returns ld 0x964cb08 NULL
ldap_int_select
read1msg: ld 0x964cb08 msgid 1 all 1
read1msg: ld 0x964cb08 msgid 1 message type extended-result
read1msg: ld 0x964cb08 0 new referrals
read1msg: mark request completed, ld 0x964cb08 msgid 1
request done: ld 0x964cb08 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_extended_result
ldap_parse_result
ldap_msgfree
TLS: peer cert untrusted or revoked (0x42)
TLS: can't connect: (unknown error code).
-- Full log of ldap_start_tls_s() with only global option set
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP 192.168.12.1:389
ldap_new_socket: 9
ldap_prepare_socket: 9
ldap_connect_to_host: Trying 192.168.12.1:389
ldap_pvt_connect: fd: 9 tm: 30 async: 0
ldap_ndelay_on: 9
ldap_int_poll: fd: 9 tm: 30
ldap_is_sock_ready: 9
ldap_ndelay_off: 9
ldap_pvt_connect: 0
ldap_open_defconn: successful
ldap_send_server_request
ldap_result ld 0x9303b08 msgid 1
wait4msg ld 0x9303b08 msgid 1 (timeout 30000000 usec)
wait4msg continue ld 0x9303b08 msgid 1 all 1
** ld 0x9303b08 Connections:
* host: 192.168.12.1 port: 389 (default)
refcnt: 2 status: Connected
last used: Sat Apr 25 22:48:17 2009
** ld 0x9303b08 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x9303b08 request count 1 (abandoned 0)
** ld 0x9303b08 Response Queue:
Empty
ld 0x9303b08 response count 0
ldap_chkResponseList ld 0x9303b08 msgid 1 all 1
ldap_chkResponseList returns ld 0x9303b08 NULL
ldap_int_select
read1msg: ld 0x9303b08 msgid 1 all 1
read1msg: ld 0x9303b08 msgid 1 message type extended-result
read1msg: ld 0x9303b08 0 new referrals
read1msg: mark request completed, ld 0x9303b08 msgid 1
request done: ld 0x9303b08 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_extended_result
ldap_parse_result
ldap_msgfree
TLS: hostname (192.168.12.1) does not match common name in certificate (server.host.name.tld).
--
-- arthur - adejong at debian.org - http://people.debian.org/~adejong --
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-openldap-devel/attachments/20090425/496fd5dc/attachment.pgp>
More information about the Pkg-openldap-devel
mailing list