De nada: my pleasure. Just to make sure that the issue is clear though, it's worth spelling it out.
The core of the issue is that in it's present form (and going back multiple distributions) the default configuration for connections using SSL via STARTTLS (which is the norm) does not check the validity of the server certificate at all. This means that the connection can simply be MITMed, then the contents accessed (sensitive authentication credentials etc). From my perspective, this kind of issue is actually worse than having no SSL at all, because no-one would use an unencrypted connection anywhere exposed, whereas people will now be deploying connections thinking the SSL is offering some form of protection, where as they are not. It's a false sense of security. Obviously all the packages that have this library as a dependency are insecure and vulnerable to interception too. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1835181 Title: OpenLDAP LDAP_OPT_X_TLS_REQUIRE_CERT handling differences between ldaps:// and ldap:// with STARTTLS Status in openldap package in Ubuntu: New Bug description: This is the same bug as https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1547927 which has been closed. Tested and confirmed present with vivid, wily, xenial and bionic Also logged with openldap as http://www.openldap.org/its/index.cgi/Incoming?id=8374 however I think that this is a packaging issue caused by using GNUTLS rather than OpenSSL. Important: to replicate the issue you need to connect to an LDAP server which presents a certificate with a CN that DOES NOT MATCH the connection URI passed to the OpenLDAP client. In practice, this is simple enough to achieve by using the IP address of a server rather than the FQDN. The core of the issue is that the handling of the LDAP_OPT_X_TLS_REQUIRE_CERT option appears to be different between servers accessed via ldaps:// and ldap:// (plus STARTTLS) URIs. When accessing server with an invalid certificate, the results are: ldaps:// never OK hard Error: can't contact LDAP server demand Error: can't contact LDAP server allow OK try Error: can't contact LDAP server ldap:// plus explicit ldap_start_tls_s() never OK hard OK demand OK allow OK try OK Based on all the documentation, the results should be the same between approaches. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1835181/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
