** Changed in: openldap (Ubuntu)
Status: New => Incomplete
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1835181
Title:
OpenLDAP LDAP_OPT_X_TLS_REQUIRE_CERT handling differences between
ldaps:// and ldap:// with STARTTLS
Status in openldap package in Ubuntu:
Incomplete
Bug description:
This is the same bug as
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1547927 which
has been closed.
Tested and confirmed present with vivid, wily, xenial and bionic
Also logged with openldap as
http://www.openldap.org/its/index.cgi/Incoming?id=8374 however I think
that this is a packaging issue caused by using GNUTLS rather than
OpenSSL.
Important: to replicate the issue you need to connect to an LDAP
server which presents a certificate with a CN that DOES NOT MATCH the
connection URI passed to the OpenLDAP client. In practice, this is
simple enough to achieve by using the IP address of a server rather
than the FQDN.
The core of the issue is that the handling of the
LDAP_OPT_X_TLS_REQUIRE_CERT option appears to be different between
servers accessed via ldaps:// and ldap:// (plus STARTTLS) URIs.
When accessing server with an invalid certificate, the results are:
ldaps://
never OK
hard Error: can't contact LDAP server
demand Error: can't contact LDAP server
allow OK
try Error: can't contact LDAP server
ldap:// plus explicit ldap_start_tls_s()
never OK
hard OK
demand OK
allow OK
try OK
Based on all the documentation, the results should be the same between
approaches.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1835181/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
