[Bug 1026057] [NEW] Segfault when setting bad olcTLSCipherSuite

Joonas Koivunen joonas.koivunen at gmail.com
Wed Jul 18 10:10:31 UTC 2012 

Public bug reported:

Steps to reproduce:

1. Configure olcTLSCertificateFile & olcTLSCertificateKeyFile:
dn: cn=config
changeType: modify
add: olcTLSCertificateFile
olcTLSCertificateFile: /some/valid/pemfile/path
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /some/valid/pemfile/path

(At this point openldap started to support STARTTLS and began working as
a sssd authentication backend.)

2. Try configuring olcTLSCipherSuite to an openssl kind, for example:
dn: cn=config
changeType: modify
add: olcTLSCipherSuite
olcTLSCipherSuite: TLSv1+RSA:!NULL:!EXP

Expected result in gnutls compiled openldap: some kind of refusal of
configuration change (gnutls does not apparently support any kind of
ciphersuite names like openssl).

Actual result: segfault [01-slapd-stderr.log]

Syslog message about crash: kernel: [ 4158.532053] slapd[2696]: segfault
at 7fa824106008 ip 00007fa837ad10b5 sp 00007fa830df8110 error 4 in
libc-2.15.so[7fa837a52000+1b3000]

>From administrators perspective openldap would be easier to configure
should it be compiled against openssl instead of gnutls as ciphersuites
would be simpler to specify. I'm not aware if openssl build would crash
here as well. Crash is however rather bad indicator of "unsupported
configuration value".

# apt-cache policy slapd
slapd:
  Installed: 2.4.28-1.1ubuntu4
  Candidate: 2.4.28-1.1ubuntu4
  Version table:
 *** 2.4.28-1.1ubuntu4 0
        500 http://fi.archive.ubuntu.com/ubuntu/ precise/main amd64 Packages
        100 /var/lib/dpkg/status

# lsb_release -rd
Description:    Ubuntu 12.04 LTS
Release:        12.04

# slapd -VVV
@(#) $OpenLDAP: slapd  (Apr  5 2012 16:22:20) $
        buildd at allspice:/build/buildd/openldap-2.4.28/debian/build/servers/slapd

Included static backends:
    config
    ldif

** Affects: openldap (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1026057

Title:
  Segfault when setting bad olcTLSCipherSuite

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1026057/+subscriptions

More information about the Ubuntu-server-bugs mailing list