OpenLDAP
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

Viewing Incoming/7164
Full headers

From: nick@eurobjects.com
Subject: Prevent change of TLS setting if invalid (Dynamic Config)
Compose comment
Download message
State:
0 replies:
0 followups:

Major security issue: yes  no

Notes:

Notification:


Date: Mon, 13 Feb 2012 18:44:04 +0000
From: nick@eurobjects.com
To: openldap-its@OpenLDAP.org
Subject: Prevent change of TLS setting if invalid (Dynamic Config)
Full_Name: Nikolaos Milas
Version: 2.4.28
OS: CentOS 5.7
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (94.65.22.12)


If, in a working OpenLDAP installation with dynamic configuration, we
inadvertently change the value of:

   olcTLSCertificateKeyFile: /path/to/key.pem

to some invalid value, like:

   olcTLSCertificateKeyFile: /path/to/non/existing/key.pem

then OpenLDAP Server continues to work (and we see no error message whatsoever),
but if it is stopped, it refuses to restart. In the logs, while OpenLDAP is
starting, we see:

   Feb 11 16:20:44 vdev slapd[15272]: main: TLS init def ctx failed: -1

and then service is immediately stopped.

OpenLDAP Server should check whether the new parameter value points to an
existing file, and, if not, it should refuse to change the attribute value. For
a more complete procedure, it could also check whether the indicated file
includes a valid certificate, suitable for this parameter, and, again, if not,
it should refuse to change the attribute value.

Also, in case it's possible that one of the TLS File parameters gets an invalid
value (e.g. through slapadd), then a meaningful message during startup failure
would be helpful, e.g.: "olcTLSCertificateKeyFile: File /path/to/key.pem not
found or contains invalid certificate."
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest


The OpenLDAP Issue Tracking System uses a hacked version of JitterBug

______________
© Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org