Thanks for all the debug effort!
I've gone back and double-checked the code that was causing the failure,
and at some point during the testing it had been changed so that the
return from ldap_start_tls_s wasn't being checked (as it always returned
true), and instead a check was being made against
I think it falls into the gaps between the various packaging approaches
and distributions.
>From the discussions with the OpenLDAP chaps, they were pretty confident
that they couldn't replicate the issue with the package built against
OpenSSL, plus there was some talk of issue being related to a
https://cwe.mitre.org/data/definitions/295.html
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1835181
Title:
OpenLDAP LDAP_OPT_X_TLS_REQUIRE_CERT handling differences
And just to add a real world example. If you use one of the dependent
packages (apache, exim, squid, samaba, php, postress etc.) and use LDAP
for your auth, then the SSL is worthless and anyone with access to the
network can intercept and recover the credentials in the
request/response.
--
You
De nada: my pleasure.
Just to make sure that the issue is clear though, it's worth spelling it
out.
The core of the issue is that in it's present form (and going back
multiple distributions) the default configuration for connections using
SSL via STARTTLS (which is the norm) does not check the
I don't think they have: my ticket is still open with them too. :(
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1547927
Title:
LDAP_OPT_X_TLS_REQUIRE_CERT handling
I can check again, but the last time I looked this was still broken ...
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1547927
Title:
LDAP_OPT_X_TLS_REQUIRE_CERT
Hi,
There's a lot more detail on the bug report on the openldap site,
including some replication steps:
http://www.openldap.org/its/index.cgi/Incoming?id=8374#followup7
I've just tried again, and it still doesn't work as expected on xenial
with the latest packages installed.
The connection for
This patch may also resolve
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1547927
I'll confirm once available and I have an opportunity to test.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
Oh, and if you're wondering, the ldaps:// results are the correct ones:
an untrusted CA (self signed) should be rejected.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
Public bug reported:
Tested with vivid and wily...
also logged with openldap as
http://www.openldap.org/its/index.cgi/Incoming?id=8374
The handling of the LDAP_OPT_X_TLS_REQUIRE_CERT option appears to be different
between servers accessed via ldaps:// and ldap:// (plus STARTTLS) URIs.
When
11 matches
Mail list logo
