Bug#1070033: libgnutls30: rejects numeric IPv6 addresses during connection

Elliott Mitchell ehem+debian at m5p.com
Tue May 14 02:13:33 BST 2024 

affects 1070033 nslcd
quit

On Wed, May 01, 2024 at 01:45:00PM +0200, Andreas Metzler wrote:
> On 2024-04-30 Elliott Mitchell <ehem+debian at m5p.com> wrote:
> > On Tue, Apr 30, 2024 at 05:55:15AM +0200, Andreas Metzler wrote:
> > > On 2024-04-29 Elliott Mitchell <ehem+debian at m5p.com> wrote:
> [...] 
> > > > From `nslcd` on clients I was getting the message:
> > > > nslcd[12345]: [1a2b3c] <group/member="root"> failed to bind to LDAP server ldaps://[fd12:3456:7890:abcd::3]/: Can't contact LDAP server: The TLS connection was non-properly terminated.: Resource temporarily unavailable
> [...] 
> > > > Once I finally figured out `slapd`'s debug mode ('-h ldaps:/// ldapi:///'
> > > > is two arguments, the ldaps and ldapi are a single argument).  I got
> > > > traces from `slapd`: (serial numbers filed off)
> > > 
> > > > tls_read: want=5, got=5
> > > >   0000:  16 03 01 01 8f
> > > 
> > > > tls_read: want=399, got=399
> > > >   0160:    ............fd12  
> > > >   0170:    :3456:7890:abcd:  
> > > >   0180:    :3.-......... at .   
> > > > TLS: can't accept: A disallowed SNI server name has been received..
> > > > connection_read(13): TLS accept failure error=-1 id=1005, closing
> [...]
> > > I guess you used the IPv6 address as either CN or Subject Alternative
> > > Name. Both take names, not IP addresses. There is a different field for
> > > IP addresses.
> > > 
> > > gnutls-cli --port 636 fd12:3456:7890:abcd::3 
> > > 
> > > will probably give more info.
> > > 
> > > FWIW I have just generated a local test certificate with "IPAddress:"
> > > set to '::1' and things work for me as expected.
> 
> > Hmm, `gnutls-cli --port ldaps` gave a different result.  The connection
> > successfully established and I was left being able to type to `slapd`.
> [...]
> > Anything further is purely guesswork.

> well you could post the complete output of
> gnutls-cli --port 636 fd12:3456:7890:abcd::3
> perhaps even with -d10? I would reassign to openldap then if there are
> no obvious clues.

`gnutls-cli` doesn't yield anything obvious.

Problem is there are at least 3 packages where the bug could lurk:

libgnutls30's API could indicate numeric addresses are legal somewhere,
but not accept IPv6 addresses (something gets fed to
_gnutls_dnsname_is_valid() which shouldn't be).

I notice the libgnutls30 function _gnutls_dnsname_is_valid() will return
true for "127.0.0.1".  This function is almost certainly wrong as it
accepts IPv4 addresses (which are not valid in DNS), but rejects IPv6
addresses.


nslcd could be passing something which could be an IP address to the
wrong part of the libgnutls30 API.  nslcd might also be sending an IP
address in LDAP somewhere it is required to send a hostname.

slapd could be passing something which could be an IP address to the
wrong part of the libgnutls30 API.  slapd might also be assuming
something in LDAP is a hostname when it is valid to be an IP address.


Right now _gnutls_dnsname_is_valid() seems highly suspect.


-- 
(\___(\___(\______          --=> 8-) EHM <=--          ______/)___/)___/)
 \BS (    |         ehem+sigmsg at m5p.com  PGP 87145445         |    )   /
  \_CS\   |  _____  -O #include <stddisclaimer.h> O-   _____  |   /  _/
8A19\___\_|_/58D2 7E3D DDF4 7BA6 <-PGP-> 41D1 B375 37D0 8714\_|_/___/5445

More information about the Pkg-openldap-devel mailing list