Package: libgnutls30
Version: 3.7.9-2+deb12u2
Severity: important
Long story to finding this one. Trying to get LDAP setup on this
network. As a recent deployment it seemed appropriate to use IPv6.
>From `nslcd` on clients I was getting the message:
nslcd[12345]: [1a2b3c] <group/member="root"> failed to bind to LDAP server
ldaps://[fd12:3456:7890:abcd::3]/: Can't contact LDAP server: The TLS
connection was non-properly terminated.: Resource temporarily unavailable
Running `nslcd` in debug mode failed to yield any additional useful
information.
Once I finally figured out `slapd`'s debug mode ('-h ldaps:/// ldapi:///'
is two arguments, the ldaps and ldapi are a single argument). I got
traces from `slapd`: (serial numbers filed off)
tls_read: want=5, got=5
0000: 16 03 01 01 8f
tls_read: want=399, got=399
0160: ............fd12
0170: :3456:7890:abcd:
0180: :3.-.........@.
TLS: can't accept: A disallowed SNI server name has been received..
connection_read(13): TLS accept failure error=-1 id=1005, closing
Further tracing of the error message appears to point to the function
`_gnutls_dnsname_is_valid()` in gnutls/lib/str.h. Seems libgnutls30 is
incompatible with numeric IPv6 addresses.
While IPv6-only hosts are presently uncommon, there is now quite a bit of
IPv6 traffic in many places. I think this is worthy of having a severity
of "critical" as "bookworm" may remain as "stable" past when there is
more IPv6 traffic than IPv4 traffic. For "trixie" this seems very
likely.
--
(\___(\___(\______ --=> 8-) EHM <=-- ______/)___/)___/)
\BS ( | ehem+sig...@m5p.com PGP 87145445 | ) /
\_CS\ | _____ -O #include <stddisclaimer.h> O- _____ | / _/
8A19\___\_|_/58D2 7E3D DDF4 7BA6 <-PGP-> 41D1 B375 37D0 8714\_|_/___/5445
