[Touch-packages] [Bug 1835181] Re: OpenLDAP LDAP_OPT_X_TLS_REQUIRE_CERT handling differences between ldaps:// and ldap:// with STARTTLS

Tue, 09 Jul 2019 14:21:12 -0700 

Same thing on bionic now.


a) SSL with incorrect name fails as expected:
ubuntu@bionic-ldap-start-tls-1835181:~$ sudo truncate -s 0 /var/log/syslog 

ubuntu@bionic-ldap-start-tls-1835181:~$ ldapwhoami -x -H 
ldaps://bionic-ldap-start-tls-1835181.lxd
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

ubuntu@bionic-ldap-start-tls-1835181:~$ ldapwhoami -x -H 
ldaps://bionic-ldap-start-tls-1835181.lxd -d -1 2>&1 | grep ^TLS
TLS: hostname (bionic-ldap-start-tls-1835181.lxd) does not match common name in 
certificate (ubuntu).

ubuntu@bionic-ldap-start-tls-1835181:~$ tail /var/log/syslog 
Jul  9 21:02:07 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1015 fd=14 
ACCEPT from IP=10.0.100.234:45518 (IP=0.0.0.0:636)
Jul  9 21:02:07 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1015 fd=14 TLS 
established tls_ssf=256 ssf=256
Jul  9 21:02:07 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1015 fd=14 
closed (connection lost)
Jul  9 21:02:13 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1016 fd=14 
ACCEPT from IP=10.0.100.234:45520 (IP=0.0.0.0:636)
Jul  9 21:02:13 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1016 fd=14 TLS 
established tls_ssf=256 ssf=256
Jul  9 21:02:13 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1016 fd=14 
closed (connection lost)

b) START_TLS with incorrect hostname fails as expected:
ubuntu@bionic-ldap-start-tls-1835181:~$ sudo truncate -s 0 /var/log/syslog 
ubuntu@bionic-ldap-start-tls-1835181:~$ ldapwhoami -x -ZZ -h 
bionic-ldap-start-tls-1835181.lxd
ldap_start_tls: Connect error (-11)
        additional info: TLS: hostname does not match CN in peer certificate
ubuntu@bionic-ldap-start-tls-1835181:~$ ldapwhoami -x -ZZ -h 
bionic-ldap-start-tls-1835181.lxd -d -1 2>&1 | grep ^TLS
TLS: hostname (bionic-ldap-start-tls-1835181.lxd) does not match common name in 
certificate (ubuntu).
ubuntu@bionic-ldap-start-tls-1835181:~$ tail /var/log/syslog 
Jul  9 21:03:01 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1017 fd=14 TLS 
established tls_ssf=256 ssf=256
Jul  9 21:03:01 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1017 op=1 UNBIND
Jul  9 21:03:01 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1017 fd=14 
closed
Jul  9 21:03:09 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1018 fd=14 
ACCEPT from IP=10.0.100.234:37820 (IP=0.0.0.0:389)
Jul  9 21:03:09 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1018 op=0 EXT 
oid=1.3.6.1.4.1.1466.20037
Jul  9 21:03:09 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1018 op=0 
STARTTLS
Jul  9 21:03:09 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1018 op=0 
RESULT oid= err=0 text=
Jul  9 21:03:09 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1018 fd=14 TLS 
established tls_ssf=256 ssf=256
Jul  9 21:03:09 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1018 op=1 UNBIND
Jul  9 21:03:09 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1018 fd=14 
closed


Now the good cases, to show the ssl setup is correct:

a) SSL with ubuntu host:
ubuntu@bionic-ldap-start-tls-1835181:~$ sudo truncate -s 0 /var/log/syslog 
ubuntu@bionic-ldap-start-tls-1835181:~$ ldapwhoami -x -H ldaps://ubuntu/
anonymous
ubuntu@bionic-ldap-start-tls-1835181:~$ tail /var/log/syslog 
Jul  9 21:03:48 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1019 fd=14 
ACCEPT from IP=10.0.100.234:45528 (IP=0.0.0.0:636)
Jul  9 21:03:48 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1019 fd=14 TLS 
established tls_ssf=256 ssf=256
Jul  9 21:03:48 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1019 op=0 BIND 
dn="" method=128
Jul  9 21:03:48 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1019 op=0 
RESULT tag=97 err=0 text=
Jul  9 21:03:48 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1019 op=1 EXT 
oid=1.3.6.1.4.1.4203.1.11.3
Jul  9 21:03:48 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1019 op=1 WHOAMI
Jul  9 21:03:48 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1019 op=1 
RESULT oid= err=0 text=
Jul  9 21:03:48 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1019 op=2 UNBIND
Jul  9 21:03:48 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1019 fd=14 
closed

b) START_TLS with ubuntu host:
ubuntu@bionic-ldap-start-tls-1835181:~$ sudo truncate -s 0 /var/log/syslog 
ubuntu@bionic-ldap-start-tls-1835181:~$ ldapwhoami -x -ZZ -h ubuntu
anonymous
ubuntu@bionic-ldap-start-tls-1835181:~$ tail /var/log/syslog 
Jul  9 21:04:14 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1020 op=0 
STARTTLS
Jul  9 21:04:14 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1020 op=0 
RESULT oid= err=0 text=
Jul  9 21:04:14 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1020 fd=14 TLS 
established tls_ssf=256 ssf=256
Jul  9 21:04:14 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1020 op=1 BIND 
dn="" method=128
Jul  9 21:04:14 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1020 op=1 
RESULT tag=97 err=0 text=
Jul  9 21:04:14 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1020 op=2 EXT 
oid=1.3.6.1.4.1.4203.1.11.3
Jul  9 21:04:14 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1020 op=2 WHOAMI
Jul  9 21:04:14 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1020 op=2 
RESULT oid= err=0 text=
Jul  9 21:04:14 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1020 op=3 UNBIND
Jul  9 21:04:14 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1020 fd=14 
closed


Versions:
slapd:
  Installed: 2.4.45+dfsg-1ubuntu1.2
  Candidate: 2.4.45+dfsg-1ubuntu1.2
  Version table:
 *** 2.4.45+dfsg-1ubuntu1.2 500
        500 http://br.archive.ubuntu.com/ubuntu bionic-updates/main amd64 
Packages

and
libgnutls30:
  Installed: 3.5.18-1ubuntu1.1
  Candidate: 3.5.18-1ubuntu1.1
  Version table:
 *** 3.5.18-1ubuntu1.1 500
        500 http://br.archive.ubuntu.com/ubuntu bionic-updates/main amd64 
Packages


Before I continue testing older releases, is this procedure correct to try to 
reproduce the bug? Maybe I missed something.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1835181

Title:
  OpenLDAP LDAP_OPT_X_TLS_REQUIRE_CERT handling differences between
  ldaps:// and ldap:// with STARTTLS

Status in openldap package in Ubuntu:
  Incomplete

Bug description:
  This is the same bug as
  https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1547927 which
  has been closed.

  Tested and confirmed present with vivid, wily, xenial and bionic

  Also logged with openldap as
  http://www.openldap.org/its/index.cgi/Incoming?id=8374 however I think
  that this is a packaging issue caused by using GNUTLS rather than
  OpenSSL.

  Important: to replicate the issue you need to connect to an LDAP
  server which presents a certificate with a CN that DOES NOT MATCH the
  connection URI passed to the OpenLDAP client. In practice, this is
  simple enough to achieve by using the IP address of a server rather
  than the FQDN.

  The core of the issue is that the handling of the
  LDAP_OPT_X_TLS_REQUIRE_CERT option appears to be different between
  servers accessed via ldaps:// and ldap:// (plus STARTTLS) URIs.

  When accessing server with an invalid certificate, the results are:

  ldaps://

  never  OK
  hard   Error: can't contact LDAP server
  demand Error: can't contact LDAP server
  allow  OK
  try    Error: can't contact LDAP server

  ldap:// plus explicit ldap_start_tls_s()

  never  OK
  hard   OK
  demand OK
  allow  OK
  try    OK

  Based on all the documentation, the results should be the same between
  approaches.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1835181/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to