OpenLDAP
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

Viewing Software Bugs/7197
Full headers

From: quanah@openldap.org
Subject: olcTLSVerifyClient missing options
Compose comment
Download message
State:
0 replies:
1 followups: 1

Major security issue: yes  no

Notes:

Notification:


Date: Sun, 04 Mar 2012 20:40:07 +0000
From: quanah@openldap.org
To: openldap-its@OpenLDAP.org
Subject: olcTLSVerifyClient missing options
Full_Name: Quanah Gibson-Mount
Version: 2.4.30
OS: Linux 2.6
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (75.108.184.39)


From the manual page:

      olcTLSVerifyClient: <level>
	      Specifies what checks to perform on client  certificates	in  an
	      incoming	TLS  session, if any.  The <level> can be specified as
	      one of the following keywords:

	      never  This is the default.  slapd will not ask the client for a
		     certificate.

	      allow  The  client  certificate is requested.  If no certificate
		     is provided, the session proceeds	normally.   If	a  bad
		     certificate  is provided, it will be ignored and the ses-
		     sion proceeds normally.

	      try    The client certificate is requested.  If  no  certificate
		     is  provided,  the  session  proceeds normally.  If a bad
		     certificate is provided, the session is immediately  ter-
		     minated.

	      demand | hard | true
		     These keywords are all equivalent, for compatibility rea-
		     sons.  The client certificate is requested.  If  no  cer-
		     tificate  is  provided, or a bad certificate is provided,
		     the session is immediately terminated.

		     Note that a valid client certificate is required in order
		     to  use the SASL EXTERNAL authentication mechanism with a
		     TLS session.  As such, a  non-default  olcTLSVerifyClient
		     setting  must be chosen to enable SASL EXTERNAL authenti-
		     cation.


However, the code has:

static slap_verbmasks vfykeys[] = {
                { BER_BVC("never"),     LDAP_OPT_X_TLS_NEVER },
                { BER_BVC("demand"),    LDAP_OPT_X_TLS_DEMAND },
                { BER_BVC("try"),       LDAP_OPT_X_TLS_TRY },
                { BER_BVC("hard"),      LDAP_OPT_X_TLS_HARD },
                { BER_BVNULL, 0 }
        };


Which means:

a) allow is missing
b) true is missing
c) demand and hard set different flags.  Not sure if that means any difference
functionality wise, but according to the manual page, demand/true/hard are
supposed to be the same behavior.


Followup 1

Download message
Date: Wed, 04 Apr 2012 13:04:22 -0700
From: Quanah Gibson-Mount <quanah@zimbra.com>
To: openldap-its@openldap.org
Subject: Re: (ITS#7197) olcTLSVerifyClient missing options
--On Sunday, March 04, 2012 8:40 PM +0000 quanah@OpenLDAP.org wrote:

see also <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=658749>

--Quanah



--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra ::  the leader in open source messaging and collaboration


Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest


The OpenLDAP Issue Tracking System uses a hacked version of JitterBug

______________
© Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org