https://cwe.mitre.org/data/definitions/295.html
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1835181 Title: OpenLDAP LDAP_OPT_X_TLS_REQUIRE_CERT handling differences between ldaps:// and ldap:// with STARTTLS Status in openldap package in Ubuntu: New Bug description: This is the same bug as https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1547927 which has been closed. Tested and confirmed present with vivid, wily, xenial and bionic Also logged with openldap as http://www.openldap.org/its/index.cgi/Incoming?id=8374 however I think that this is a packaging issue caused by using GNUTLS rather than OpenSSL. Important: to replicate the issue you need to connect to an LDAP server which presents a certificate with a CN that DOES NOT MATCH the connection URI passed to the OpenLDAP client. In practice, this is simple enough to achieve by using the IP address of a server rather than the FQDN. The core of the issue is that the handling of the LDAP_OPT_X_TLS_REQUIRE_CERT option appears to be different between servers accessed via ldaps:// and ldap:// (plus STARTTLS) URIs. When accessing server with an invalid certificate, the results are: ldaps:// never OK hard Error: can't contact LDAP server demand Error: can't contact LDAP server allow OK try Error: can't contact LDAP server ldap:// plus explicit ldap_start_tls_s() never OK hard OK demand OK allow OK try OK Based on all the documentation, the results should be the same between approaches. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1835181/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
