On Thu, May 16, 2024 at 07:06:49PM -0700, Elliott Mitchell wrote: > On Tue, May 14, 2024 at 06:22:09PM +0200, Andreas Metzler wrote: > > On 2024-05-14 Elliott Mitchell <ehem+deb...@m5p.com> wrote: > > > On Wed, May 01, 2024 at 01:45:00PM +0200, Andreas Metzler wrote: > > [...] > > >> well you could post the complete output of > > >> gnutls-cli --port 636 fd12:3456:7890:abcd::3 > > >> perhaps even with -d10? I would reassign to openldap then if there are > > >> no obvious clues. > > > > > `gnutls-cli` doesn't yield anything obvious. > > [...] > > > Could you please post the requested output, although there are no > > obvious clues there to your eyes? > > Problem is that provides rather a lot of data about this network setup. > The quantity of information is enough for me to be rather uncomfortable > with providing it via public channel. > > > I did get the connection to proceed further than before though. If I add > the IPv6 address of the LDAP server to /etc/hosts, and then use the > hostname instead of IPv6 address for the uri line of /etc/nslcd.conf > things get further (I believe over IPv6, but I haven't satisfactorily > verified this). > > This suggests #1070033 is either in libgnutls30 or slapd. The issue > could be slapd is passing an IPv6 address to a portion of libgnutls30's > API which requires a hostname. The issue could be libgnutls30 rejects > IPv6 addresses in some place(s) where they should be valid by the API. > > I notice the `_gnutls_dnsname_is_valid()` function in > gnutls28-3.8.5/lib/str.h accepts IPv4 addresses (which are NOT valid in > DNS), but rejects IPv6 addresses.
Then I look deeper and find RFC 6066 (https://www.rfc-editor.org/rfc/rfc6066), page 7: Literal IPv4 and IPv6 addresses are not permitted in "HostName". This suggests there are at least 2, possibly 3 or more bugs. #1 RFC 6066 says neither are legal, yet _gnutls_dnsname_is_valid() accepts IPv4 addresses (including the 32-bit integer version), but rejects IPv6 addresses. This sort of inconsistency leads to security breaches. #2 The gnutls library uses the SNI extension without checking whether it was passed a literal addresses. #3 nslcd always passes the host string provided to its "uri" configuration setting to the gnutls API without checking whether it is a literal address. #1 is definitely a bug present in the libgnutls30 package. At least one of #2 and #3 is definitely a bug, but both may very well be bugs. Seems better to check in the library as it could effect multiple programs using the library. -- (\___(\___(\______ --=> 8-) EHM <=-- ______/)___/)___/) \BS ( | ehem+sig...@m5p.com PGP 87145445 | ) / \_CS\ | _____ -O #include <stddisclaimer.h> O- _____ | / _/ 8A19\___\_|_/58D2 7E3D DDF4 7BA6 <-PGP-> 41D1 B375 37D0 8714\_|_/___/5445