Your message dated Tue, 24 Jan 2017 23:04:58 +0000 with message-id <[email protected]> and subject line Bug#849756: fixed in sssd 1.14.2-2.1 has caused the Debian Bug report #849756, regarding sssd-ldap fails to connect to ldaps:// due to problem with non-blocking socket to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 849756: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849756 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: sssd-ldap Version: 1.14.2-1 Severity: serious Tags: security Feel free to downgrade the severity, but as this sends passwords in cleartext (though in a case that I hope will never work so not that likely to loose important passwords) and makes me wonder whether this package can work at all with any ldaps server, I guessed it might be a suitable severity. This might be the cause of other "[sdap_process_result] (0x0040): ldap_result error: [Can't contact LDAP server]" bug reports, but as this error message is so generic, I'm creating a new bug report. sssd calls ldap_install_tls on a socket without removing and NON_BLOCKING bits from it. This seems to be not supported by the current libldap2-4 version, which returns LDAP_SUCCESS but later fails. Due to the way libldap fails the request is then send unencrypted (within the SSL Stream). Here it usually happens that sssd sends both the "Client Hello" and an "Application Data" block (containing unencryted ldap_default_bind_dn and ldap_default_authtok) before the server can even answer with an hello and the server than sends (depending when the Application data arrives) either with an Unexpected Message Fatal Alert or an Unencrypted Data Alert. (The ldap Server log reports TLS handshake errors, while the on the sssd side one gets "[sdap_process_result] (0x0040): ldap_result error: [Can't contact LDAP server]"). Some example data extracted from the output of wireshark: Transmission Control Protocol, Src Port: 47911 (47911), Dst Port: 636 (636), Seq: 1, Ack: 1, Len: 150 Secure Sockets Layer TLSv1.2 Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 145 Handshake Protocol: Client Hello Transmission Control Protocol, Src Port: 47911 (47911), Dst Port: 636 (636), Seq: 151, Ack: 1, Len: 140 Secure Sockets Layer TLSv1.2 Record Layer: Application Data Protocol: ldap Content Type: Application Data (23) Version: TLS 1.2 (0x0303) Length: 135 Encrypted Application Data: 30818402010160600201030439636e3dxxxxxxxxxxxxxxxx... Transmission Control Protocol, Src Port: 636 (636), Dst Port: 47911 (47911), Seq: 1, Ack: 151, Len: 0 Transmission Control Protocol, Src Port: 636 (636), Dst Port: 47911 (47911), Seq: 1, Ack: 291, Len: 0 Transmission Control Protocol, Src Port: 636 (636), Dst Port: 47911 (47911), Seq: 1, Ack: 291, Len: 1448 Secure Sockets Layer TLSv1.2 Record Layer: Handshake Protocol: Server Hello Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 53 Handshake Protocol: Server Hello Transmission Control Protocol, Src Port: 47911 (47911), Dst Port: 636 (636), Seq: 291, Ack: 1449, Len: 0 Transmission Control Protocol, Src Port: 636 (636), Dst Port: 47911 (47911), Seq: 1449, Ack: 291, Len: 2648 [2 Reassembled TCP Segments (3389 bytes): #29(1390), #31(1999)] Secure Sockets Layer TLSv1.2 Record Layer: Handshake Protocol: Certificate Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 3384 Handshake Protocol: Certificate Secure Sockets Layer TLSv1.2 Record Layer: Handshake Protocol: Server Key Exchange Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 527 Handshake Protocol: Server Key Exchange Transmission Control Protocol, Src Port: 47911 (47911), Dst Port: 636 (636), Seq: 291, Ack: 4097, Len: 0 Transmission Control Protocol, Src Port: 636 (636), Dst Port: 47911 (47911), Seq: 4097, Ack: 291, Len: 216 [2 Reassembled TCP Segments (333 bytes): #31(117), #33(216)] Secure Sockets Layer TLSv1.2 Record Layer: Handshake Protocol: Multiple Handshake Messages Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 328 Handshake Protocol: Certificate Request Handshake Protocol: Server Hello Done Transmission Control Protocol, Src Port: 47911 (47911), Dst Port: 636 (636), Seq: 291, Ack: 4313, Len: 0 Transmission Control Protocol, Src Port: 636 (636), Dst Port: 47911 (47911), Seq: 4313, Ack: 291, Len: 7 Secure Sockets Layer TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Unexpected Message) Content Type: Alert (21) Version: TLS 1.2 (0x0303) Length: 2 Alert Message The content of the "Application Data Protocol: ldap" package is plain non-encrypted data (here a bit redacted): 0``9cn=XXXXXXXXXXXXXXXXXXXX,cn=XXXXXXXXXXXXX,cn=XXXX,ou=XXXXX MYPASWORD_______________________01.3.6.1.4.1.42.2.27.8.5.1 As I can see it the cause of this is that in ../openldap-2.4.44+dfsg/libraries/libldap/tls2.c the code is: #ifdef LDAP_USE_NON_BLOCKING_TLS /* * Use non-blocking io during SSL Handshake when a timeout is configured */ if ( ld->ld_options.ldo_tm_net.tv_sec >= 0 ) { ber_sockbuf_ctrl( ld->ld_sb, LBER_SB_OPT_SET_NONBLOCK, sb ); ber_sockbuf_ctrl( sb, LBER_SB_OPT_GET_FD, &sd ); tv = ld->ld_options.ldo_tm_net; tv0 = tv; #ifdef HAVE_GETTIMEOFDAY gettimeofday( &start_time_tv, NULL ); #else /* ! HAVE_GETTIMEOFDAY */ time( &start_time_tv.tv_sec ); start_time_tv.tv_usec = 0; #endif /* ! HAVE_GETTIMEOFDAY */ } #endif /* LDAP_USE_NON_BLOCKING_TLS */ ld->ld_errno = LDAP_SUCCESS; ret = ldap_int_tls_connect( ld, conn ); #ifdef LDAP_USE_NON_BLOCKING_TLS while ( ret > 0 ) { /* this should only happen for non-blocking io */ [shortened to make it more readable] } #endif /* LDAP_USE_NON_BLOCKING_TLS */ if ( ret < 0 ) { if ( ld->ld_errno == LDAP_SUCCESS ) ld->ld_errno = LDAP_CONNECT_ERROR; return (ld->ld_errno); } ssl = ldap_pvt_tls_sb_ctx( sb ); assert( ssl != NULL ); /* * compare host with name(s) in certificate */ if (ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_NEVER && ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_ALLOW) { ld->ld_errno = ldap_pvt_tls_check_hostname( ld, ssl, host ); if (ld->ld_errno != LDAP_SUCCESS) { return ld->ld_errno; } } return LDAP_SUCCESS; } i.e. libldap expect that if it does not set the fd non-blocking, ldap_int_tls_connect will not return > 0 (which it does if gnutls_handshare returns GNUTLS_E_AGAIN). (and the only place LDAP_USE_NON_BLOCKING_TLS is defined is: #ifdef LDAP_DEVEL #define LDAP_USE_NON_BLOCKING_TLS #endif /* LDAP_DEVEL */ earlier in the same file. Running sssd in an debugger shows that the code is not compiled in (i.e. it is not defined as expected)) The test of sssd with the problem was done with libldap-2.4-2 version 2.4.44+dfsg-2 and libgnutls30 version 3.5.7-3.
--- End Message ---
--- Begin Message ---Source: sssd Source-Version: 1.14.2-2.1 We believe that the bug you reported is fixed in the latest version of sssd, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Petter Reinholdtsen <[email protected]> (supplier of updated sssd package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Tue, 24 Jan 2017 22:26:17 +0000 Source: sssd Binary: sssd sssd-common sssd-ad sssd-ad-common sssd-dbus sssd-ipa sssd-krb5 sssd-krb5-common sssd-ldap sssd-proxy sssd-tools libnss-sss libpam-sss libipa-hbac0 libipa-hbac-dev libsss-idmap0 libsss-idmap-dev libsss-nss-idmap0 libsss-nss-idmap-dev libsss-sudo libsss-simpleifp0 libsss-simpleifp-dev libwbclient-sssd libwbclient-sssd-dev python-libipa-hbac python-libsss-nss-idmap python-sss python3-libipa-hbac python3-libsss-nss-idmap python3-sss Architecture: source Version: 1.14.2-2.1 Distribution: unstable Urgency: low Maintainer: Debian SSSD Team <[email protected]> Changed-By: Petter Reinholdtsen <[email protected]> Description: libipa-hbac-dev - FreeIPA HBAC Evaluator library libipa-hbac0 - FreeIPA HBAC Evaluator library libnss-sss - Nss library for the System Security Services Daemon libpam-sss - Pam module for the System Security Services Daemon libsss-idmap-dev - ID mapping library for SSSD -- development files libsss-idmap0 - ID mapping library for SSSD libsss-nss-idmap-dev - SID based lookups library for SSSD -- development files libsss-nss-idmap0 - SID based lookups library for SSSD libsss-simpleifp-dev - SSSD D-Bus responder helper library -- development files libsss-simpleifp0 - SSSD D-Bus responder helper library libsss-sudo - Communicator library for sudo libwbclient-sssd - SSSD libwbclient implementation libwbclient-sssd-dev - SSSD libwbclient implementation -- development files python-libipa-hbac - Python bindings for the FreeIPA HBAC Evaluator library python-libsss-nss-idmap - Python bindings for the SID lookups library python-sss - Python module for the System Security Services Daemon python3-libipa-hbac - Python3 bindings for the FreeIPA HBAC Evaluator library python3-libsss-nss-idmap - Python3 bindings for the SID lookups library python3-sss - Python3 module for the System Security Services Daemon sssd - System Security Services Daemon -- metapackage sssd-ad - System Security Services Daemon -- Active Directory back end sssd-ad-common - System Security Services Daemon -- PAC responder sssd-common - System Security Services Daemon -- common files sssd-dbus - System Security Services Daemon -- D-Bus responder sssd-ipa - System Security Services Daemon -- IPA back end sssd-krb5 - System Security Services Daemon -- Kerberos back end sssd-krb5-common - System Security Services Daemon -- Kerberos helpers sssd-ldap - System Security Services Daemon -- LDAP back end sssd-proxy - System Security Services Daemon -- proxy back end sssd-tools - System Security Services Daemon -- tools Closes: 849756 Changes: sssd (1.14.2-2.1) unstable; urgency=low . * Non-maintainer upload with maintainer approval. * ldap-blocking.diff: Fix ldaps connections by removing NON_BLOCKING from socket options (Closes: 849756). Patch from upstream pull request #67. Checksums-Sha1: 276b1256104dbfb604e499196fadbfe33b469213 4402 sssd_1.14.2-2.1.dsc 90386fab818d5ec7b3199e9edebf791b7bd5e849 37633 sssd_1.14.2-2.1.diff.gz Checksums-Sha256: 9840a4f2a7c2abf5c500db521f2d54c0224900b5a628ca2404289dfde48260c1 4402 sssd_1.14.2-2.1.dsc 55af6db3aa0edd30e9b254ae46e7ab2191ad1963d09df2f9820e88a017cc0b29 37633 sssd_1.14.2-2.1.diff.gz Files: 43c12cc1b9ad64a88f37d1f72cf73b87 4402 utils extra sssd_1.14.2-2.1.dsc 3eb998aadb95c0b36dcc65aa4c15726b 37633 utils extra sssd_1.14.2-2.1.diff.gz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBWIfXMIEoCqCHuvsOAQICJBAAqJZNABCl1pAKZM38wxZah+wFPKJBpv/Y 9WkWJ3BpMLW1IRRErYRNxTWk1Gn45saWw8pJDzAqVVjSxtsH7Wd4fYtAkqqyfcQH eazMi9y5dBGealjlSGJ5FXNimcRHFs7D1GracfQRAbDJN1c2TzD86UFXA5ktkaGB eyyk72C63opAJQhiltKHjMi2FUKo2m51LN6OM6ljso4gqk60c5fznoq4DjQ40u8N YhIfgCn8CePyfcqbNv5QRqyjTE04TaWszM4r5qGngNYCZNceLrHK7Y6QqjbV65D6 T/PI8b7D7cHJ5XkJcAeV5LwuOCTraf6itKmElCRPBFmGOm9wd65lrTEhdi5JDXLO 9Ewrdrg9FhirevlHCVGcOtvGAWJ/q1SknujsowfgheuiL9NLCMZnpHvo4nmLv9mW 7j4t6cOZrwefxgg37/Lj9tiaWADsQD2BHJOTvHqf7Ac7QzKi35NhovtVhjCtgqH8 ba49E2sttrM4405J1NL5nPVcDdnR6lcNf3e3mmvi243/DiIW55DI0kZ9s0PlQvNH nLWUI1hNyT0SltR2RJ0CMRafYEpQacx72DwPhosuWvDKzq/XBKRBs22DmLr1z6x5 AHAz2WRAfuVqR7p7VePqo5AdRlax6OHNVj766DMwULD0JKinHRd6RX9+BX/GRAE6 X68LZE1tytk= =xEWR -----END PGP SIGNATURE-----
--- End Message ---

