Same thing on bionic now.
a) SSL with incorrect name fails as expected:
ubuntu@bionic-ldap-start-tls-1835181:~$ sudo truncate -s 0 /var/log/syslog
ubuntu@bionic-ldap-start-tls-1835181:~$ ldapwhoami -x -H
ldaps://bionic-ldap-start-tls-1835181.lxd
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
ubuntu@bionic-ldap-start-tls-1835181:~$ ldapwhoami -x -H
ldaps://bionic-ldap-start-tls-1835181.lxd -d -1 2>&1 | grep ^TLS
TLS: hostname (bionic-ldap-start-tls-1835181.lxd) does not match common name in
certificate (ubuntu).
ubuntu@bionic-ldap-start-tls-1835181:~$ tail /var/log/syslog
Jul 9 21:02:07 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1015 fd=14
ACCEPT from IP=10.0.100.234:45518 (IP=0.0.0.0:636)
Jul 9 21:02:07 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1015 fd=14 TLS
established tls_ssf=256 ssf=256
Jul 9 21:02:07 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1015 fd=14
closed (connection lost)
Jul 9 21:02:13 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1016 fd=14
ACCEPT from IP=10.0.100.234:45520 (IP=0.0.0.0:636)
Jul 9 21:02:13 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1016 fd=14 TLS
established tls_ssf=256 ssf=256
Jul 9 21:02:13 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1016 fd=14
closed (connection lost)
b) START_TLS with incorrect hostname fails as expected:
ubuntu@bionic-ldap-start-tls-1835181:~$ sudo truncate -s 0 /var/log/syslog
ubuntu@bionic-ldap-start-tls-1835181:~$ ldapwhoami -x -ZZ -h
bionic-ldap-start-tls-1835181.lxd
ldap_start_tls: Connect error (-11)
additional info: TLS: hostname does not match CN in peer certificate
ubuntu@bionic-ldap-start-tls-1835181:~$ ldapwhoami -x -ZZ -h
bionic-ldap-start-tls-1835181.lxd -d -1 2>&1 | grep ^TLS
TLS: hostname (bionic-ldap-start-tls-1835181.lxd) does not match common name in
certificate (ubuntu).
ubuntu@bionic-ldap-start-tls-1835181:~$ tail /var/log/syslog
Jul 9 21:03:01 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1017 fd=14 TLS
established tls_ssf=256 ssf=256
Jul 9 21:03:01 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1017 op=1 UNBIND
Jul 9 21:03:01 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1017 fd=14
closed
Jul 9 21:03:09 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1018 fd=14
ACCEPT from IP=10.0.100.234:37820 (IP=0.0.0.0:389)
Jul 9 21:03:09 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1018 op=0 EXT
oid=1.3.6.1.4.1.1466.20037
Jul 9 21:03:09 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1018 op=0
STARTTLS
Jul 9 21:03:09 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1018 op=0
RESULT oid= err=0 text=
Jul 9 21:03:09 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1018 fd=14 TLS
established tls_ssf=256 ssf=256
Jul 9 21:03:09 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1018 op=1 UNBIND
Jul 9 21:03:09 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1018 fd=14
closed
Now the good cases, to show the ssl setup is correct:
a) SSL with ubuntu host:
ubuntu@bionic-ldap-start-tls-1835181:~$ sudo truncate -s 0 /var/log/syslog
ubuntu@bionic-ldap-start-tls-1835181:~$ ldapwhoami -x -H ldaps://ubuntu/
anonymous
ubuntu@bionic-ldap-start-tls-1835181:~$ tail /var/log/syslog
Jul 9 21:03:48 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1019 fd=14
ACCEPT from IP=10.0.100.234:45528 (IP=0.0.0.0:636)
Jul 9 21:03:48 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1019 fd=14 TLS
established tls_ssf=256 ssf=256
Jul 9 21:03:48 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1019 op=0 BIND
dn="" method=128
Jul 9 21:03:48 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1019 op=0
RESULT tag=97 err=0 text=
Jul 9 21:03:48 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1019 op=1 EXT
oid=1.3.6.1.4.1.4203.1.11.3
Jul 9 21:03:48 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1019 op=1 WHOAMI
Jul 9 21:03:48 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1019 op=1
RESULT oid= err=0 text=
Jul 9 21:03:48 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1019 op=2 UNBIND
Jul 9 21:03:48 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1019 fd=14
closed
b) START_TLS with ubuntu host:
ubuntu@bionic-ldap-start-tls-1835181:~$ sudo truncate -s 0 /var/log/syslog
ubuntu@bionic-ldap-start-tls-1835181:~$ ldapwhoami -x -ZZ -h ubuntu
anonymous
ubuntu@bionic-ldap-start-tls-1835181:~$ tail /var/log/syslog
Jul 9 21:04:14 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1020 op=0
STARTTLS
Jul 9 21:04:14 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1020 op=0
RESULT oid= err=0 text=
Jul 9 21:04:14 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1020 fd=14 TLS
established tls_ssf=256 ssf=256
Jul 9 21:04:14 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1020 op=1 BIND
dn="" method=128
Jul 9 21:04:14 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1020 op=1
RESULT tag=97 err=0 text=
Jul 9 21:04:14 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1020 op=2 EXT
oid=1.3.6.1.4.1.4203.1.11.3
Jul 9 21:04:14 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1020 op=2 WHOAMI
Jul 9 21:04:14 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1020 op=2
RESULT oid= err=0 text=
Jul 9 21:04:14 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1020 op=3 UNBIND
Jul 9 21:04:14 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1020 fd=14
closed
Versions:
slapd:
Installed: 2.4.45+dfsg-1ubuntu1.2
Candidate: 2.4.45+dfsg-1ubuntu1.2
Version table:
*** 2.4.45+dfsg-1ubuntu1.2 500
500 http://br.archive.ubuntu.com/ubuntu bionic-updates/main amd64
Packages
and
libgnutls30:
Installed: 3.5.18-1ubuntu1.1
Candidate: 3.5.18-1ubuntu1.1
Version table:
*** 3.5.18-1ubuntu1.1 500
500 http://br.archive.ubuntu.com/ubuntu bionic-updates/main amd64
Packages
Before I continue testing older releases, is this procedure correct to try to
reproduce the bug? Maybe I missed something.
--
You received this bug notification because you are a member of Ubuntu
Server, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1835181
Title:
OpenLDAP LDAP_OPT_X_TLS_REQUIRE_CERT handling differences between
ldaps:// and ldap:// with STARTTLS
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1835181/+subscriptions
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
