affects 1070033 nslcd quit On Wed, May 01, 2024 at 01:45:00PM +0200, Andreas Metzler wrote: > On 2024-04-30 Elliott Mitchell <ehem+deb...@m5p.com> wrote: > > On Tue, Apr 30, 2024 at 05:55:15AM +0200, Andreas Metzler wrote: > > > On 2024-04-29 Elliott Mitchell <ehem+deb...@m5p.com> wrote: > [...] > > > > From `nslcd` on clients I was getting the message: > > > > nslcd[12345]: [1a2b3c] <group/member="root"> failed to bind to LDAP > > > > server ldaps://[fd12:3456:7890:abcd::3]/: Can't contact LDAP server: > > > > The TLS connection was non-properly terminated.: Resource temporarily > > > > unavailable > [...] > > > > Once I finally figured out `slapd`'s debug mode ('-h ldaps:/// > > > > ldapi:///' > > > > is two arguments, the ldaps and ldapi are a single argument). I got > > > > traces from `slapd`: (serial numbers filed off) > > > > > > > tls_read: want=5, got=5 > > > > 0000: 16 03 01 01 8f > > > > > > > tls_read: want=399, got=399 > > > > 0160: ............fd12 > > > > 0170: :3456:7890:abcd: > > > > 0180: :3.-.........@. > > > > TLS: can't accept: A disallowed SNI server name has been received.. > > > > connection_read(13): TLS accept failure error=-1 id=1005, closing > [...] > > > I guess you used the IPv6 address as either CN or Subject Alternative > > > Name. Both take names, not IP addresses. There is a different field for > > > IP addresses. > > > > > > gnutls-cli --port 636 fd12:3456:7890:abcd::3 > > > > > > will probably give more info. > > > > > > FWIW I have just generated a local test certificate with "IPAddress:" > > > set to '::1' and things work for me as expected. > > > Hmm, `gnutls-cli --port ldaps` gave a different result. The connection > > successfully established and I was left being able to type to `slapd`. > [...] > > Anything further is purely guesswork.
> well you could post the complete output of > gnutls-cli --port 636 fd12:3456:7890:abcd::3 > perhaps even with -d10? I would reassign to openldap then if there are > no obvious clues. `gnutls-cli` doesn't yield anything obvious. Problem is there are at least 3 packages where the bug could lurk: libgnutls30's API could indicate numeric addresses are legal somewhere, but not accept IPv6 addresses (something gets fed to _gnutls_dnsname_is_valid() which shouldn't be). I notice the libgnutls30 function _gnutls_dnsname_is_valid() will return true for "127.0.0.1". This function is almost certainly wrong as it accepts IPv4 addresses (which are not valid in DNS), but rejects IPv6 addresses. nslcd could be passing something which could be an IP address to the wrong part of the libgnutls30 API. nslcd might also be sending an IP address in LDAP somewhere it is required to send a hostname. slapd could be passing something which could be an IP address to the wrong part of the libgnutls30 API. slapd might also be assuming something in LDAP is a hostname when it is valid to be an IP address. Right now _gnutls_dnsname_is_valid() seems highly suspect. -- (\___(\___(\______ --=> 8-) EHM <=-- ______/)___/)___/) \BS ( | ehem+sig...@m5p.com PGP 87145445 | ) / \_CS\ | _____ -O #include <stddisclaimer.h> O- _____ | / _/ 8A19\___\_|_/58D2 7E3D DDF4 7BA6 <-PGP-> 41D1 B375 37D0 8714\_|_/___/5445