Full_Name: Graham Wells
Version: 2.4.28
OS: macOS 10.12.1
URL:
Submission from: (NULL) (50.207.27.182)
SSLHandshake fails for ldapsearch when the subject is blank, even if the
certificate is valid and certificate chain trusted (should only require a valid
SAN and for SAN to be marked as critical):
Command: /usr/bin/ldapsearch -b "CN=userid,ou=foo,ou=bar,dc=domain,dc=com" -D
"CN=bind-dn,ou=foo,ou=bar,dc=domain,dc=com" -H ldaps://server-ldap.com:636 -W
-d-1
ldap_url_parse_ext(ldaps://server-ldap.com:636)
ldap_create
ldap_url_parse_ext(ldaps://server-ldap.com:636/??base)
Enter LDAP Password:AlAldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP server-ldap.com:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.2.2.2:636
ldap_pvt_connect: fd: 3 tm: -1 async:%D
tlsst_thr_init()
tlsst_init()
tlsst_ctx_new() = 0x7fa10de02f90
tlsst_ctx_init(0x7fa10de02f90)
tlsst_ciphers_get((null), TLS_CIPHER_SUITE)
tlsst_trusted_certs_get(CA 002|CA 001|CA 003|ROOT CA 001|Other Root CA,
TLS_TRUSTED_CERTS)
tlssttetem_get(CA 002, TLS_TRUSTED_CERTS)
tlsst_item_get(CA 001, TLS_TRUSTED_CERTS)
tlsst_item_get(CA 003, TLS_TRUSTED_CERTS)
tlsst_item_get(ROOT CA 001, TLS_TRUSTED_CERTS)
tlsst_item_get(Other Root CA, TLS_TRUSTED_CERTS)
tlsst_session_new(0x7fa10de02f90)
tlsst_ciphers_set(42, TLS_CIPHER_SUITE)
TLS: 42 ciphers wanted:
...(omitted)
TLS: 72 ciphers supported:
...(omitted)
TLS: 16 ciphers enabled
...(omitted)
tlsst_ctx_ref(0x7fa10de02f90)
tlsst_session_new(0x7fa10de02f90) = 0x7fa10dd08280
tlsst_sb_setup(0x7fa10dd08280)
tlsst_ctx_ref(0x7fa10de02f90)
tlsst_session_connect(0x7fa10dd08280)
tlsst_session_handshake()
tlsst_socket_write(0x7fa10dd0ef68, 123)
tls_write: want=123, written=123
0000: 16 03 01 00 76 01 00 00 72 03 03 58 33 55 fe 4e ....v...r..X3U.N
0010: 8e 16 0d df 99 3a e6 68 36 a1 ff 90 71 1f 78 bb .....:.h6...q.x.
0020: 70 bf 2a 02 05 44 c9 94 07 33 2f 00 00 22 00 ff p.*..D...3/.."..
0030: 00 9d 00 9f 00 3d 00 6b 00 35 00 39 00 9c 00 9e .....=.k.5.9....
0040: 00 3c 00 67 00 2f 00 33 00 0a 00 16 00 05 00 04 .<.g./.3........
0050: 01 00 00 27 00 0d 00 12 00 10 04 01 02 01 05 01 ...'............
0060: 06 01 04 03 02 03 05 03 06 03 00 05 00 05 01 00 ................
0070: 00 00 00 00 12 00 00 00 17 00 00 ...........
tlsst_socket_read(0x7fa10e81d800, 5)
tls_read: want=5, got=5
0000: 16 03 03 11 38 ....8
tlsst_socket_read(0x7fa10e81d805, 4408)
tls_read: want=0808, got=2891
...(sanitized)
tlsst_socket_read - received (2891) bytes of (4408) requested bytes - (1517)
encrypted bytes remaining
tlsst_socket_flags sess(0x7fa10dd08280)
tlsst_socket_flags ->(2)
tlsst_socket_read(0x7fa10e81e350, 1517)
tls_read: want=1517, got=1517
...(sanitized)
TLS: during handshake: peer cert is valid, or was ignored if verification
disabled (-9841)
TLS: during handshake: Peer certificate is not trusted:
kSecTrustResultRecoverableTrustFailure
tlsst_session_upflags(0x7fa10dd08280)
tlsst_session_errmsg(0x7fa10dd08280)
TLS: can't connect: SSLHandshake() failed: misc. bad certificate (-9825).
tlsst_sb_remove(0x7fa10dd08280)
tlsst_session_free(0x7fa10dd08280)
tlsst_ctx_free(0x7fa10de02f90)
ldap_err2string
ldap_sasl_bind(SIMPLE): Can7t7t contact LDAP server (-1)
ldap_pvt_clear_search_results_callback: ld 0x7fa10dd00ab0
ldap_pvt_close_select_pipe: sip = 0x7fa10e803800
tlsst_ctx_free(0x7fa10de02f90)
tlsst_ctx_free(0x7fa10de02f90)
tlsst_destroy()
Certificate is otherwise valid:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
(redacted)
Signature Algorithm: sha256WithRSAEncryption
Issuer: DC=foo, DC=bar, CN=CA 003
Validity
Not Before: Oct 25 23:33:16 2016 GMT
Not After : Oct 25 23:33:16 2017 GMT
Subject:
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
(redacted)
Exponent: 65537 (0x10001)
X509v3 extensions:
1.3.6.1.4.1.311.21.7:
0-.%+.....7....`...W......./....W...b......d...
X509v3 Extended Key Usage:
1.3.6.1.5.2.3.5, Microsoft Smartcardlogin, TLS Web Server
Authentication, TLS Web Client Authentication
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
1.3.6.1.4.1.311.21.10:
010...+......0..
+.....7...0
..+.......0
..+.......
X509v3 Subject Key Identifier:
E2:D2:D9:24:6D:A6:5A:2D:59:03:08:38:03:AE:E8:F4:2A:EA:EB:9F
X509v3 Authority Key Identifier:
keyid:16:70:AA:1C:31:53:76:FB:26:B5:B8:EA:FC:76:08:E6:3F:17:0D:2F
X509v3 CRL Distribution Points:
URI:http://foo.bar.com/CertData/CA 003.crl
URI:ldap:///CN=CA
003,CN=server-ldap,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domain,DC=co3F3FcertificateRevocationList?base?objectClass=cRLDistributionPoint
Authority Information Access:
CA Issuers -
URI:http://foo.bar.com/CertData/server-ldap_CA-003.crt
CA Issuers - URI:ldap:///CN=CA
003,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domain,DC=com?cACertificate?base?objectClass=certificationAuthority
X509v3 Subject Alternative Name: critical
DNS:server-ldap.com, DNS:domain.com, DNS:DOMAIN
Signature Algorithm: sha256WithRSAEncryption
(redacted)
The certificate is RFC5280 compliant despite having a blank subject name,
specifically:
"If the subject field contains an empty sequence, then the issuing CA MUST
include a subjectAltName extension that is marked as critical."
Reissuing the certificate and populating the subject field resolves the issue,
but it should not be necessary according to the RFC.
