[Bug 1835181] Re: OpenLDAP LDAP_OPT_X_TLS_REQUIRE_CERT handling differences between ldaps:// and ldap:// with STARTTLS

Andreas Hasenack andreas at canonical.com
Tue Jul 9 21:06:25 UTC 2019


Same thing on bionic now.


a) SSL with incorrect name fails as expected:
ubuntu at bionic-ldap-start-tls-1835181:~$ sudo truncate -s 0 /var/log/syslog 

ubuntu at bionic-ldap-start-tls-1835181:~$ ldapwhoami -x -H ldaps://bionic-ldap-start-tls-1835181.lxd
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

ubuntu at bionic-ldap-start-tls-1835181:~$ ldapwhoami -x -H ldaps://bionic-ldap-start-tls-1835181.lxd -d -1 2>&1 | grep ^TLS
TLS: hostname (bionic-ldap-start-tls-1835181.lxd) does not match common name in certificate (ubuntu).

ubuntu at bionic-ldap-start-tls-1835181:~$ tail /var/log/syslog 
Jul  9 21:02:07 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1015 fd=14 ACCEPT from IP=10.0.100.234:45518 (IP=0.0.0.0:636)
Jul  9 21:02:07 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1015 fd=14 TLS established tls_ssf=256 ssf=256
Jul  9 21:02:07 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1015 fd=14 closed (connection lost)
Jul  9 21:02:13 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1016 fd=14 ACCEPT from IP=10.0.100.234:45520 (IP=0.0.0.0:636)
Jul  9 21:02:13 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1016 fd=14 TLS established tls_ssf=256 ssf=256
Jul  9 21:02:13 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1016 fd=14 closed (connection lost)

b) START_TLS with incorrect hostname fails as expected:
ubuntu at bionic-ldap-start-tls-1835181:~$ sudo truncate -s 0 /var/log/syslog 
ubuntu at bionic-ldap-start-tls-1835181:~$ ldapwhoami -x -ZZ -h bionic-ldap-start-tls-1835181.lxd
ldap_start_tls: Connect error (-11)
	additional info: TLS: hostname does not match CN in peer certificate
ubuntu at bionic-ldap-start-tls-1835181:~$ ldapwhoami -x -ZZ -h bionic-ldap-start-tls-1835181.lxd -d -1 2>&1 | grep ^TLS
TLS: hostname (bionic-ldap-start-tls-1835181.lxd) does not match common name in certificate (ubuntu).
ubuntu at bionic-ldap-start-tls-1835181:~$ tail /var/log/syslog 
Jul  9 21:03:01 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1017 fd=14 TLS established tls_ssf=256 ssf=256
Jul  9 21:03:01 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1017 op=1 UNBIND
Jul  9 21:03:01 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1017 fd=14 closed
Jul  9 21:03:09 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1018 fd=14 ACCEPT from IP=10.0.100.234:37820 (IP=0.0.0.0:389)
Jul  9 21:03:09 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1018 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Jul  9 21:03:09 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1018 op=0 STARTTLS
Jul  9 21:03:09 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1018 op=0 RESULT oid= err=0 text=
Jul  9 21:03:09 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1018 fd=14 TLS established tls_ssf=256 ssf=256
Jul  9 21:03:09 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1018 op=1 UNBIND
Jul  9 21:03:09 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1018 fd=14 closed


Now the good cases, to show the ssl setup is correct:

a) SSL with ubuntu host:
ubuntu at bionic-ldap-start-tls-1835181:~$ sudo truncate -s 0 /var/log/syslog 
ubuntu at bionic-ldap-start-tls-1835181:~$ ldapwhoami -x -H ldaps://ubuntu/
anonymous
ubuntu at bionic-ldap-start-tls-1835181:~$ tail /var/log/syslog 
Jul  9 21:03:48 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1019 fd=14 ACCEPT from IP=10.0.100.234:45528 (IP=0.0.0.0:636)
Jul  9 21:03:48 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1019 fd=14 TLS established tls_ssf=256 ssf=256
Jul  9 21:03:48 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1019 op=0 BIND dn="" method=128
Jul  9 21:03:48 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1019 op=0 RESULT tag=97 err=0 text=
Jul  9 21:03:48 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1019 op=1 EXT oid=1.3.6.1.4.1.4203.1.11.3
Jul  9 21:03:48 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1019 op=1 WHOAMI
Jul  9 21:03:48 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1019 op=1 RESULT oid= err=0 text=
Jul  9 21:03:48 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1019 op=2 UNBIND
Jul  9 21:03:48 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1019 fd=14 closed

b) START_TLS with ubuntu host:
ubuntu at bionic-ldap-start-tls-1835181:~$ sudo truncate -s 0 /var/log/syslog 
ubuntu at bionic-ldap-start-tls-1835181:~$ ldapwhoami -x -ZZ -h ubuntu
anonymous
ubuntu at bionic-ldap-start-tls-1835181:~$ tail /var/log/syslog 
Jul  9 21:04:14 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1020 op=0 STARTTLS
Jul  9 21:04:14 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1020 op=0 RESULT oid= err=0 text=
Jul  9 21:04:14 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1020 fd=14 TLS established tls_ssf=256 ssf=256
Jul  9 21:04:14 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1020 op=1 BIND dn="" method=128
Jul  9 21:04:14 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1020 op=1 RESULT tag=97 err=0 text=
Jul  9 21:04:14 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1020 op=2 EXT oid=1.3.6.1.4.1.4203.1.11.3
Jul  9 21:04:14 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1020 op=2 WHOAMI
Jul  9 21:04:14 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1020 op=2 RESULT oid= err=0 text=
Jul  9 21:04:14 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1020 op=3 UNBIND
Jul  9 21:04:14 bionic-ldap-start-tls-1835181 slapd[2600]: conn=1020 fd=14 closed


Versions:
slapd:
  Installed: 2.4.45+dfsg-1ubuntu1.2
  Candidate: 2.4.45+dfsg-1ubuntu1.2
  Version table:
 *** 2.4.45+dfsg-1ubuntu1.2 500
        500 http://br.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages

and
libgnutls30:
  Installed: 3.5.18-1ubuntu1.1
  Candidate: 3.5.18-1ubuntu1.1
  Version table:
 *** 3.5.18-1ubuntu1.1 500
        500 http://br.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages


Before I continue testing older releases, is this procedure correct to try to reproduce the bug? Maybe I missed something.

-- 
You received this bug notification because you are a member of Ubuntu
Server, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1835181

Title:
  OpenLDAP LDAP_OPT_X_TLS_REQUIRE_CERT handling differences between
  ldaps:// and ldap:// with STARTTLS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1835181/+subscriptions



More information about the Ubuntu-server-bugs mailing list