Issue 8610 - ldaps not usable with DNS SRV
Summary: ldaps not usable with DNS SRV
Status: UNCONFIRMED
Alias: None
Product: OpenLDAP
Classification: Unclassified
Component: slapd (show other issues)
Version: unspecified
Hardware: All All
: --- normal
Target Milestone: ---
Assignee: OpenLDAP project
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-03-06 14:48 UTC by silvio.wanka@fiege.com
Modified: 2022-10-21 21:31 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.
Description silvio.wanka@fiege.com 2017-03-06 14:48:57 UTC 
Full_Name: Silvio Wanka
Version: openldap-client-2.4.44
OS: FreeBSD 10.3-RELEASE-p16
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (62.138.118.158)


Hi,

if I use "ldap:///dc%3Dexample%2Cdc%3Dorg" on a test system all works properly
but I must use LDAPS on a DMZ system and so I try
"ldaps:///dc%3Dexample%2Cdc%3Dorg" but this search for a ldap DNS SRV record
which of course returns the normal ldap port not the ldaps port. This can't
work, because a firewall is between.
Is this normal (by design) or an bug? There is also an old discussion on your
site: http://www.openldap.org/lists/openldap-technical/201203/msg00027.html.
IMO should OpenSSL either support DNS SRV lookup for each scheme or for none.

TIA,
Silvio
Comment 1 Quanah Gibson-Mount 2017-03-17 16:42:19 UTC 
moved from Incoming to Software Bugs
Comment 2 braiamp 2020-06-05 21:51:57 UTC 
This issue seem to be still present in master.
Comment 3 braiamp 2020-06-05 21:52:45 UTC 
Also present on Debian version ldapsearch: @(#) $OpenLDAP: ldapsearch 2.4.50+dfsg-1
Comment 4 Michael Ströder 2020-06-05 23:26:11 UTC 
And still there is no standard which defines a decent TLS domain name check for SRV RRs with well-defined subjectAltName values to prevent MITM attacks.

See also: https://tools.ietf.org/html/rfc6125#section-3