[Pkg-openldap-devel] Bug#823232: libldap-2.4-2: Cannot connect to LDAP server with invalid (self-signed or non-standard CA signed) certificate
Aki Tuomi
aki.tuomi at dovecot.fi
Mon May 2 14:44:58 UTC 2016
Package: libldap-2.4-2
Version: 2.4.40+dfsg-1+deb8u2
Severity: important
Dear Maintainer,
The behaviour of OpenLDAP CLI and library appears to be broken. There seems to
be no way to allow invalid certificates (despite OpenLDAP library claiming that
it should be possible).
Most simple usecase:
1. Install slapd with non-default CA signed certificate
2. Try connect with openldap -Z -H ldap://server ...
Expected behaviour
Invalid cert ignored, and TLS continues
Actual behaviour
Failure with non-descriptive error, debug shows
ldap_start_tls: Connect error (-11)
Workaround, of course, is to install the non-standard CA as trusted CA
certificate. But the man page *does* say that it really should work.
The same behaviour occurs with direct LDAP library usage with
int opt = LDAP_OPT_X_TLS_ALLOW;
ldap_set_option(conn->conn, LDAP_OPT_X_TLS, &opt);
ldap_set_option(conn->conn, LDAP_OPT_X_TLS_REQUIRE_CERT, &opt);
Again, this should allow non-trusted certificate on peer, which is appears
not to do.
-- System Information:
Debian Release: 8.3
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages libldap-2.4-2 depends on:
ii libc6 2.19-18+deb8u3
ii libgnutls-deb0-28 3.3.8-6+deb8u3
ii libsasl2-2 2.1.26.dfsg1-13+deb8u1
ii multiarch-support 2.19-18+deb8u3
libldap-2.4-2 recommends no packages.
libldap-2.4-2 suggests no packages.
-- Configuration Files:
/etc/ldap/ldap.conf changed:
TLS_CACERT /etc/ldap/certs.pem
TLS_REQCERT allow
TLS_CRLCHECK none
-- no debconf information
More information about the Pkg-openldap-devel
mailing list