Subject: libldap-2.4-2: setting LDAP_OPT_X_TLS_REQUIRE_CERT is not handled correctly Package: libldap-2.4-2 Version: 2.4.15-1.1 Severity: important
I've been busy tracking down a LDAP/TLS related bug in my package (#521617) and found that the correct certificate checks are not done correctly if I only set the LDAP_OPT_X_TLS_REQUIRE_CERT option on a connection: tls_reqcert=LDAP_OPT_X_TLS_NEVER; ldap_set_option(NULL,LDAP_OPT_X_TLS_REQUIRE_CERT,&tls_reqcert); I get at entering ldap_start_tls_s(): TLS: peer cert untrusted or revoked (0x42) TLS: can't connect: (unknown error code). If I set the option globally, after opening the connection: ldap_set_option(NULL,LDAP_OPT_X_TLS_REQUIRE_CERT,&tls_reqcert); I get: TLS: hostname (192.168.12.1) does not match common name in certificate (server.host.name.tld). But if I set both (after opening the connection) it works. Also, if I set the global one before opening the connection it also works. (full logs are below) From browsing through the OpenLDAP source (I was reading through an unpacked 2.4.11-1 tree with Debian patches applied but I suspect the current code has the same flaw) and saw that sometimes the ldo_tls_require_cert values was read as (from libraries/libldap/tls.c): lo->ldo_tls_require_cert and sometimes as: ld->ld_options.ldo_tls_require_cert I think (but haven't investigated further) that some of the option-checks that are done should be done on the connection options, not on the global ones. I would be willing to investigate this further if you think that's a good idea (maybe even provide a patch). I could also take it up with upstream if you think it's not due to Debian patches (I know Debian's libldap uses GnuTLS instead of the more commonly used OpenSSL but I don't know to what extent it's patched). -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.26-2-686 (SMP w/2 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages libldap-2.4-2 depends on: ii libc6 2.9-7 GNU C Library: Shared libraries ii libgnutls26 2.6.5-1 the GNU TLS library - runtime libr ii libsasl2-2 2.1.22.dfsg1-23 Cyrus SASL - authentication abstra -- Full log of ldap_start_tls_s() with only connection option set ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP 192.168.12.1:389 ldap_new_socket: 9 ldap_prepare_socket: 9 ldap_connect_to_host: Trying 192.168.12.1:389 ldap_pvt_connect: fd: 9 tm: 30 async: 0 ldap_ndelay_on: 9 ldap_int_poll: fd: 9 tm: 30 ldap_is_sock_ready: 9 ldap_ndelay_off: 9 ldap_pvt_connect: 0 ldap_open_defconn: successful ldap_send_server_request ldap_result ld 0x964cb08 msgid 1 wait4msg ld 0x964cb08 msgid 1 (timeout 30000000 usec) wait4msg continue ld 0x964cb08 msgid 1 all 1 ** ld 0x964cb08 Connections: * host: 192.168.12.1 port: 389 (default) refcnt: 2 status: Connected last used: Sat Apr 25 22:51:59 2009 ** ld 0x964cb08 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ld 0x964cb08 request count 1 (abandoned 0) ** ld 0x964cb08 Response Queue: Empty ld 0x964cb08 response count 0 ldap_chkResponseList ld 0x964cb08 msgid 1 all 1 ldap_chkResponseList returns ld 0x964cb08 NULL ldap_int_select read1msg: ld 0x964cb08 msgid 1 all 1 read1msg: ld 0x964cb08 msgid 1 message type extended-result read1msg: ld 0x964cb08 0 new referrals read1msg: mark request completed, ld 0x964cb08 msgid 1 request done: ld 0x964cb08 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_parse_extended_result ldap_parse_result ldap_msgfree TLS: peer cert untrusted or revoked (0x42) TLS: can't connect: (unknown error code). -- Full log of ldap_start_tls_s() with only global option set ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP 192.168.12.1:389 ldap_new_socket: 9 ldap_prepare_socket: 9 ldap_connect_to_host: Trying 192.168.12.1:389 ldap_pvt_connect: fd: 9 tm: 30 async: 0 ldap_ndelay_on: 9 ldap_int_poll: fd: 9 tm: 30 ldap_is_sock_ready: 9 ldap_ndelay_off: 9 ldap_pvt_connect: 0 ldap_open_defconn: successful ldap_send_server_request ldap_result ld 0x9303b08 msgid 1 wait4msg ld 0x9303b08 msgid 1 (timeout 30000000 usec) wait4msg continue ld 0x9303b08 msgid 1 all 1 ** ld 0x9303b08 Connections: * host: 192.168.12.1 port: 389 (default) refcnt: 2 status: Connected last used: Sat Apr 25 22:48:17 2009 ** ld 0x9303b08 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ld 0x9303b08 request count 1 (abandoned 0) ** ld 0x9303b08 Response Queue: Empty ld 0x9303b08 response count 0 ldap_chkResponseList ld 0x9303b08 msgid 1 all 1 ldap_chkResponseList returns ld 0x9303b08 NULL ldap_int_select read1msg: ld 0x9303b08 msgid 1 all 1 read1msg: ld 0x9303b08 msgid 1 message type extended-result read1msg: ld 0x9303b08 0 new referrals read1msg: mark request completed, ld 0x9303b08 msgid 1 request done: ld 0x9303b08 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_parse_extended_result ldap_parse_result ldap_msgfree TLS: hostname (192.168.12.1) does not match common name in certificate (server.host.name.tld). -- -- arthur - adej...@debian.org - http://people.debian.org/~adejong --
signature.asc
Description: This is a digitally signed message part