[Bug 757715] New: bad openldap cert checking
https://bugzilla.novell.com/show_bug.cgi?id=757715 https://bugzilla.novell.com/show_bug.cgi?id=757715#c0 Summary: bad openldap cert checking Classification: openSUSE Product: openSUSE 12.1 Version: Final Platform: All OS/Version: openSUSE 12.1 Status: NEW Severity: Normal Priority: P5 - None Component: Other AssignedTo: rhafer@suse.com ReportedBy: bwiedemann@suse.com QAContact: qa-bugs@suse.de CC: lnussel@suse.com Found By: --- Blocker: --- When using ldaps in a default openSUSE install, ldap.conf is empty and any ldaps access fails:
ldapsearch -H ldaps://pan.suse.de -x -b "o=novell" uid=bwiedemann ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
In order to work, this needs in /etc/openldap/ldap.conf: TLS_CACERTDIR /etc/ssl/certs But it turned out, that also any invalid value for TLS_CACERTDIR makes it work, because the code falls back to the default ssl path. e.g. TLS_CACERTDIR invalidxx invalid TLS_CACERT values don't seem to trigger this fallback. If this could not be fixed in the code, it would be good to still have a line in the config with #TLS_CACERTDIR /etc/ssl/certs -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=757715
https://bugzilla.novell.com/show_bug.cgi?id=757715#c1
--- Comment #1 from Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=757715
https://bugzilla.novell.com/show_bug.cgi?id=757715#c2
Ralf Haferkamp
The code in libraries/libldap/tls_o.c (or libraries/libldap/tls.c) has a rather weird logic. It tries to set the specified cafile/cadir and if that fails uses openssl's defaults (SSL_CTX_set_default_verify_paths). So if nothing is specified it doesn't use any cafile/cadir. It's even more weird it only calls SSL_CTX_set_default_verify_paths when SSL_CTX_load_verify_locations succeeds. The man-page says SSL_CTX_load_verify_locations return 1 in case of success and 0 in case of failure. We discussed this already 2 years ago. And found out that many other programms use exactly the same code. E.g. postfix (at least back when I checked last time) and cyrus-imapd. The code in OpenLDAP almost an exact copy from openssl's s_client code. For which you even filed an upstream bug: http://rt.openssl.org/Ticket/Display.html?id=2203&user=guest&pass=guest There was however no reaction on that report ;(
For OpenLDAP there is also an upstream bugreport report: http://www.openldap.org/its/index.cgi?findid=5582 There seems to be the agreement not to change the current behavior within the 2.4 release of OpenLDAP. There seem to be clients out there relying on this behavior (which I agree is somewhat broken)
I think the code should be modified to use defaults if nothing is specified and fail if an explicitly specified cafile/cadir cannot be loaded. I'd rather go with what upstream does here. As they are already aware of the weirdness and decided to address this in the next bigger release (2.5).
That way no config change is needed at all (although adding an example line can't hurt either). Ok, adding the example line is not a big deal I can do that.
The question remains how we'll address all the other packages that use this weird logic? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=757715
https://bugzilla.novell.com/show_bug.cgi?id=757715#c3
Ludwig Nussel
The code in libraries/libldap/tls_o.c (or libraries/libldap/tls.c) has a rather weird logic. It tries to set the specified cafile/cadir and if that fails uses openssl's defaults (SSL_CTX_set_default_verify_paths). So if nothing is specified it doesn't use any cafile/cadir. It's even more weird it only calls SSL_CTX_set_default_verify_paths when SSL_CTX_load_verify_locations succeeds. The man-page says SSL_CTX_load_verify_locations return 1 in case of success and 0 in case of failure.
Ah, indeed. It's or'ed. Do'h
We discussed this already 2 years ago. And found out that many other programms use exactly the same code. E.g. postfix (at least back when I checked last time) and cyrus-imapd. The code in OpenLDAP almost an exact copy from openssl's s_client code. For which you even filed an upstream bug: http://rt.openssl.org/Ticket/Display.html?id=2203&user=guest&pass=guest There was however no reaction on that report ;(
Yes, there are also similar reports from other people.
I think the code should be modified to use defaults if nothing is specified and fail if an explicitly specified cafile/cadir cannot be loaded. I'd rather go with what upstream does here. As they are already aware of the weirdness and decided to address this in the next bigger release (2.5).
The fallback in the else case could be added safely I guess. Ie use defaults if nothing is specified.
That way no config change is needed at all (although adding an example line can't hurt either). Ok, adding the example line is not a big deal I can do that.
The question remains how we'll address all the other packages that use this weird logic?
Fix them when we see them I guess. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=757715
https://bugzilla.novell.com/show_bug.cgi?id=757715#c4
--- Comment #4 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=757715
https://bugzilla.novell.com/show_bug.cgi?id=757715#c5
Ralf Haferkamp
participants (1)
-
bugzilla_noreply@novell.com