8002 – SSL fails with olcTLSVerifyClient=allow when ITS 7979 patch is applied

Issue 8002 - SSL fails with olcTLSVerifyClient=allow when ITS 7979 patch is applied

Summary: SSL fails with olcTLSVerifyClient=allow when ITS 7979 patch is applied

Status:	VERIFIED FIXED

Alias:	None

Product:	OpenLDAP
Classification:	Unclassified
Component:	slapd (show other issues)
Version:	2.4.40
Hardware:	All All

Importance:	--- normal
Target Milestone:	---
Assignee:	OpenLDAP project

URL:
Keywords:

Depends on:
Blocks:

Reported:	2014-12-11 12:38 UTC by rik.theys@esat.kuleuven.be
Modified:	2017-04-14 20:13 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.

Description rik.theys@esat.kuleuven.be 2014-12-11 12:38:21 UTC

Full_Name: Rik Theys
Version: 2.4.40
OS: Fedora 21
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (134.58.253.57)


Hi,

After upgrading from Fedora 20 to 21 my client machine could no longer connect
to our LDAP server. Fedora links openldap with nss for TLS. It throws the
following error:

TLS: certdb config: configDir='/etc/openldap/cacerts' tokenDescription='ldap(0)'
certPrefix='' keyPrefix='' flags=readOnly
TLS: cannot open certdb '/etc/openldap/cacerts', error -8018:Unknown PKCS #11
error.
TLS: loaded CA certificate file /etc/openldap/cacerts/a9b3780c.0 from CA
certificate directory /etc/openldap/cacerts.
TLS: loaded CA certificate file /etc/openldap/cacerts/f4033bb2.0 from CA
certificate directory /etc/openldap/cacerts.
TLS: skipping 'cacert.pem' - filename does not have expected format (certificate
hash with numeric suffix)
TLS: skipping 'esat.pem' - filename does not have expected format (certificate
hash with numeric suffix)
TLS: certificate [CN=wheezy-test.esat.kuleuven.be,OU=ESAT,O=KU
Leuven,ST=Leuven,C=BE] is valid
TLS: error: connect - force handshake failure: errno 0 - moznss error -12256
TLS: can't connect: TLS error -12256:SSL received a malformed Certificate
Request handshake message..
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

I downgraded to fedora package 2.4.40-1.fc21 which did not have this bug.

The only difference between 2.4.40-1.fc21 and 2.4.40-2.fc21 is a backported
patch for ITS #7979 which adds TLS 1+ support.

I tried to reproduce this on a test machine and was initially unable to
reproduce it there. Comparing the config of the test machine with our failing
LDAP servers only showed a difference for the olcTLSVerifyClient setting.

When the LDAP server does not have 'olcTLSVerifyClient: allow' in its
configuration, it works. Once I set this parameter in the server configuration,
the error above appears and LDAP connections are broken.

The patch looks OK so maybe there's something wrong when openldap uses a higher
TLS version and the bug it to be found there?

I've also filed this bug in the fedora bug tracker:
https://bugzilla.redhat.com/show_bug.cgi?id=1172638

Regards,

Rik

Comment 1 OpenLDAP project 2017-04-14 20:13:52 UTC

Invalid per upstream bug report

Comment 2 Quanah Gibson-Mount 2017-04-14 20:13:52 UTC

changed notes
changed state Open to Closed