7197 – olcTLSVerifyClient missing options

Issue 7197 - olcTLSVerifyClient missing options

Summary: olcTLSVerifyClient missing options

Status:	VERIFIED FIXED

Alias:	None

Product:	OpenLDAP
Classification:	Unclassified
Component:	slapd (show other issues)
Version:	2.4.30
Hardware:	All All

Importance:	--- normal
Target Milestone:	---
Assignee:	OpenLDAP project

URL:
Keywords:

Depends on:
Blocks:

Reported:	2012-03-04 20:40 UTC by Quanah Gibson-Mount
Modified:	2014-08-01 21:04 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.

Description Quanah Gibson-Mount 2012-03-04 20:40:07 UTC

Full_Name: Quanah Gibson-Mount
Version: 2.4.30
OS: Linux 2.6
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (75.108.184.39)


From the manual page:

      olcTLSVerifyClient: <level>
	      Specifies what checks to perform on client  certificates	in  an
	      incoming	TLS  session, if any.  The <level> can be specified as
	      one of the following keywords:

	      never  This is the default.  slapd will not ask the client for a
		     certificate.

	      allow  The  client  certificate is requested.  If no certificate
		     is provided, the session proceeds	normally.   If	a  bad
		     certificate  is provided, it will be ignored and the ses-
		     sion proceeds normally.

	      try    The client certificate is requested.  If  no  certificate
		     is  provided,  the  session  proceeds normally.  If a bad
		     certificate is provided, the session is immediately  ter-
		     minated.

	      demand | hard | true
		     These keywords are all equivalent, for compatibility rea-
		     sons.  The client certificate is requested.  If  no  cer-
		     tificate  is  provided, or a bad certificate is provided,
		     the session is immediately terminated.

		     Note that a valid client certificate is required in order
		     to  use the SASL EXTERNAL authentication mechanism with a
		     TLS session.  As such, a  non-default  olcTLSVerifyClient
		     setting  must be chosen to enable SASL EXTERNAL authenti-
		     cation.


However, the code has:

static slap_verbmasks vfykeys[] = {
                { BER_BVC("never"),     LDAP_OPT_X_TLS_NEVER },
                { BER_BVC("demand"),    LDAP_OPT_X_TLS_DEMAND },
                { BER_BVC("try"),       LDAP_OPT_X_TLS_TRY },
                { BER_BVC("hard"),      LDAP_OPT_X_TLS_HARD },
                { BER_BVNULL, 0 }
        };


Which means:

a) allow is missing
b) true is missing
c) demand and hard set different flags.  Not sure if that means any difference
functionality wise, but according to the manual page, demand/true/hard are
supposed to be the same behavior.

Comment 1 Quanah Gibson-Mount 2012-04-04 20:04:22 UTC

--On Sunday, March 04, 2012 8:40 PM +0000 quanah@OpenLDAP.org wrote:

see also <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=658749>

--Quanah



--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra ::  the leader in open source messaging and collaboration

Comment 2 Howard Chu 2012-04-04 20:26:06 UTC

changed notes
changed state Open to Test
moved from Incoming to Software Bugs

Comment 3 Quanah Gibson-Mount 2012-05-09 19:39:32 UTC

changed notes
changed state Test to Closed

Comment 4 OpenLDAP project 2014-08-01 21:04:42 UTC

fixed in master
fixed in RE24