OpenLDAP
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

Viewing Incoming/5582
Full headers

From: h.b.furuseth@usit.uio.no
Subject: Default OpenSSL certs are only used when TLS_CACERT(DIR)
Compose comment
Download message
State:
0 replies:
2 followups: 1 2

Major security issue: yes  no

Notes:

Notification:


Date: Fri, 27 Jun 2008 17:32:57 GMT
From: h.b.furuseth@usit.uio.no
To: openldap-its@OpenLDAP.org
Subject: Default OpenSSL certs are only used when TLS_CACERT(DIR)
Full_Name: Hallvard B Furuseth
Version: HEAD, 2.3, 2.4
OS: Linux
URL: ftp://ftp.openldap.org/incoming/Hallvard-Furuseth-080627.diff
Submission from: (NULL) (129.240.6.233)
Submitted by: hallvard


OpenLDAP only uses the default certificates installed with OpenSSL if
TLS_CACERT or TLS_CACERTDIR is set.  Or presumably
TLSCACertificate<File/Dir> in servers, but the libldap/tls.c code for
servers seem to require a certificate chain from that directory anyway.

To reproduce:
  $ export LDAPCONF=/dev/null
  $ ldapwhoami -xZZh ldap.uio.no
  certificate verify failed
  $ export LDAPTLS_CACERT="*any* certificate.pem file"
  $ ldapwhoami -xZZh ldap.uio.no
  anonymous

  Or if it still fails, find where OpenSSL wants its default certs:
    strace ldapwhoami -xZZh ldap.uio.no 2>&1 | grep ssl
  and temporarily append the root cert which signed our server cert from
	https://secure.globalsign.net/cacert/CT_Root_CA.pem
  Then try again.  Something like /usr/local/ssl/cert.pem.
  $ ldapwhoami -xZZh ldap.uio.no
  anonymous
  $ unset LDAPTLS_CACERT; ldapwhoami -xZZh ldap.uio.no
  certificate verify failed

The relevant code is in libldap/tls.c:ldap_int_tls_init_ctx().
I enclose a tentative patch which fixes the above problem, but
I'm not sure it's the right one for servers and GnuTLS.

The GnuTLS branch does not require a server TLSCACertificateFile,
but the OpenSSL code does.  I don't know if GnuTLS has a default
which is used instead, nor if OpenSSL can have that.


Followup 1

Download message
Date: Fri, 27 Jun 2008 11:55:19 -0700
From: Howard Chu <hyc@symas.com>
To: h.b.furuseth@usit.uio.no
CC: openldap-its@openldap.org
Subject: Re: (ITS#5582) Default OpenSSL certs are only used when TLS_CACERT(DIR)
h.b.furuseth@usit.uio.no wrote:
> Full_Name: Hallvard B Furuseth
> Version: HEAD, 2.3, 2.4
> OS: Linux
> URL: ftp://ftp.openldap.org/incoming/Hallvard-Furuseth-080627.diff
> Submission from: (NULL) (129.240.6.233)
> Submitted by: hallvard
>
>
> OpenLDAP only uses the default certificates installed with OpenSSL if
> TLS_CACERT or TLS_CACERTDIR is set.  Or presumably
> TLSCACertificate<File/Dir>  in servers, but the libldap/tls.c code
for
> servers seem to require a certificate chain from that directory anyway.
>
Sounds like this works as designed. The docs tell you that either CACERT or 
CACERTDIR must be explicitly configured.


-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/



Followup 2

Download message
From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Date: Fri, 27 Jun 2008 22:18:41 +0200
To: Howard Chu <hyc@symas.com>
Cc: openldap-its@openldap.org
Subject: Re: (ITS#5582) Default OpenSSL certs are only used when TLS_CACERT(DIR)
Howard Chu writes:
> Sounds like this works as designed.  The docs tell you that
> either CACERT or CACERTDIR must be explicitly configured.

Maybe, but in that case the bug is that configuring them to an
irrelevant certificate works as a "use the OpenSSL defaults" flag.

Which is weird at best.  And broke our testing: We thought we checked
that certain of our users and clients had updated to use our new cert,
but actually we just checked that the OpenSSL installations on the test
hosts had the CyberTrust root cert.  Which got really confusing when we
later tried to get some test clients without the new cert to fail.

However if we turn this off (remove SSL_CTX_set_default_verify_paths()),
we'll likely break existing installations that (intentionally or not)
make use of this feature.  (Like some of the clients we supposedly
tested:-)

Thus it seemed best to always load them.  Though OTOH I suppose it's not
such a good idea to trust a bunch of certs without being asked to do so.
Yet if you can't trust your OpenSSL maintainer...
Could add a keyword to turn on (or off) loading of defaults, but I do
think it should be independent of whether TLS_CACERT(DIR) have been set.

-- 
Hallvard


Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest


The OpenLDAP Issue Tracking System uses a hacked version of JitterBug

______________
© Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org