On Thu, Aug 03, 2023 at 10:00:37AM +1000, Sean Gallagher wrote: > Looking through the code, I see that dnX509peerNormalize() is called almost > immediately after the TLS is established and that it may be handled by a > callable handler installed by the register_certificate_map_function() entry > point. This would be an ideal place to inspect the certificate. The only > problem being it that there is no way to "reject" a certificate and force > the connection to be closed. > > It may be possible to use the ssl context passed into the > dnX509peerNormalize() function to close the connection but this would not be > very clean and likely have undesirable side effects. What would be good is > if dnX509peerNormalize() could return a particular error code to signal that > the connection should be immediately closed.
Calling SSL_set_shutdown(SSL_RECEIVED_SHUTDOWN) sounds like it should do the trick? Next read will fail and so you never receive data that you consider "hostile"? > I see that LDAP_INVALID_CREDENTIALS is already used to signal benign invalid > credentials. > > Maybe a new error code is required. something like > "LDAP_HOSTILE_CREDENTIALS". Right now there is no way to tell whether a failure to extract a client DN is because there isn't any or that it's invalid. Someone would have to clean all the relevant code up to make this possible. LDAP_INVALID_CREDENTIALS corresponds to the "invalidCredentials (49)" resultCode as per RFC 4511 and is used in Bind handling, we're not at Bind time yet. If you want to prevent anonymous connections from doing anything, you might want to consider writing an overlay and attaching it to a DB or even globally. > This would seem to be a generally useful thing to have in the slapd core. Is > this something the OpenLDAP project would consider doing? Touching that code would probably tie into an overhaul of the entire SASL Bind identity support (EXTERNAL and otherwise): how librewrite comes into the picture, etc. Unless there is broad consensus on how that would look and work, I don't feel like that is going to happen any time soon? So 2.7 doesn't look like it would include this kind of change. Regards, -- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP
