Logged in as guest
Viewing Archive.Software Bugs/5341 Full headers
Major security issue: yes no
Notes: fixed in HEAD fixed in 2.4.8 Notification:
Date: Tue, 29 Jan 2008 19:28:39 GMT From: quanah@OpenLDAP.org To: openldap-its@openldap.org Subject: Invalid TLSCipherSuite causes hang
Full_Name: Quanah Gibson-Mount Version: 2.4.7 OS: NA URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (24.23.156.219) Setting TLSCipherSuite to "cipher1 cipher2" rather than "cipher1:cipher2" causes slapd to hang on startup (at least when using GnuTLS). It appears to be hanging indefinitely in ldap_pvt_tls_set_option() --Quanah
Date: Tue, 29 Jan 2008 11:55:24 -0800 From: Steve Langasek <vorlon@debian.org> To: Quanah Gibson-Mount <quanah@zimbra.com>, 462588@bugs.debian.org Cc: openldap-its@openldap.org Subject: Re: (ITS#5341) Invalid TLSCipherSuite causes hang
On Tue, Jan 29, 2008 at 11:31:43AM -0800, Quanah Gibson-Mount wrote: > --On Tuesday, January 29, 2008 11:09 AM -0800 Steve Langasek > <vorlon@debian.org> wrote: > > Anyway, the documented syntax for TLSCipherSuite is "$cipher1:$cipher2", > > not "$cipher1 $cipher2"; but setting such values gives me a hang on > > startup (which should be investigated). > Filed upstream: > <http://www.OpenLDAP.org/its/index.cgi?findid=5341> Sorry, the description of this ITS is inverted. It's *valid* ciphersuite values (i.e., "cipher1:cipher2") that cause the hang; invalid space-separated values are merely truncated after the first cipher in the list, which doesn't cause a hang, it just prevents the cipher list from being useful. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ slangasek@ubuntu.com vorlon@debian.org
Date: Thu, 31 Jan 2008 00:29:32 -0500 From: "Kyle Moffett" <kyle@moffetthome.net> To: openldap-its@OpenLDAP.org, quanah@OpenLDAP.org Subject: Re: (ITS#5341) Invalid TLSCipherSuite causes hang
------=_Part_20332_23395431.1201757372670 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline I ran into this problem a little while ago and scribbled up the attached patch to fix it. It's trivial enough and it works in my testing here. Cheers, Kyle Moffett ------=_Part_20332_23395431.1201757372670 Content-Type: application/octet-stream; name=tls.patch Content-Transfer-Encoding: base64 X-Attachment-Id: f_fc2v9vtn0 Content-Disposition: attachment; filename=tls.patch LS0tIG9wZW5sZGFwLTIuNC43L2xpYnJhcmllcy9saWJsZGFwL3Rscy5jLm9yaWcJMjAwNy0xMi0y MSAxOToyNDowOC4wMDAwMDAwMDAgLTA1MDAKKysrIG9wZW5sZGFwLTIuNC43L2xpYnJhcmllcy9s aWJsZGFwL3Rscy5jCTIwMDctMTItMjEgMTk6MzY6MDIuMDAwMDAwMDAwIC0wNTAwCkBAIC0zMDAs NiArMzAwLDcgQEAKIAkJZm9yIChpPTA7IGk8bl9jaXBoZXJzOyBpKyspIHsKIAkJCWlmICggIXN0 cm5jYXNlY21wKCBjaXBoZXJzW2ldLm5hbWUsIHB0ciwgbGVuICkpIHsKIAkJCQludW0rKzsKKwkJ CQlwdHIgPSBlbmQgKyAxOwogCQkJCWJyZWFrOwogCQkJfQogCQl9CkBAIC0zMzAsNiArMzMxLDcg QEAKIAkJCSAqIG9ubHkgYXBwZWFyIG9uY2UgaW4gZWFjaCBsaXN0LgogCQkJICovCiAJCQlpZiAo ICFzdHJuY2FzZWNtcCggY2lwaGVyc1tpXS5uYW1lLCBwdHIsIGxlbiApKSB7CisJCQkJcHRyID0g ZW5kICsgMTsKIAkJCQlmb3IgKGo9MDsgajxua3g7IGorKykKIAkJCQkJaWYgKCBreFtqXSA9PSBj aXBoZXJzW2ldLmt4ICkKIAkJCQkJCWJyZWFrOwo= ------=_Part_20332_23395431.1201757372670--
Date: Thu, 31 Jan 2008 07:43:33 -0500 From: "Kyle Moffett" <kyle@moffetthome.net> To: openldap-its@openldap.org, quanah@openldap.org Subject: Re: (ITS#5341) Invalid TLSCipherSuite causes hang
------=_Part_21408_16591909.1201783413748 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline On Jan 31, 2008 12:29 AM, Kyle Moffett <kyle@moffetthome.net> wrote: > I ran into this problem a little while ago and scribbled up the > attached patch to fix it. It's trivial enough and it works in my > testing here. Sorry, the patch seems to have gone out MIME-encoded and mostly useless to people who want to download it from the bug-tracker. Let me try again... (Sorry, still getting used to a new email client) Cheers, Kyle Moffett ------=_Part_21408_16591909.1201783413748 Content-Type: text/plain; name=tls.patch.txt Content-Transfer-Encoding: base64 X-Attachment-Id: f_fc3apr6s1 Content-Disposition: attachment; filename=tls.patch.txt LS0tIG9wZW5sZGFwLTIuNC43L2xpYnJhcmllcy9saWJsZGFwL3Rscy5jLm9yaWcJMjAwNy0xMi0y MSAxOToyNDowOC4wMDAwMDAwMDAgLTA1MDAKKysrIG9wZW5sZGFwLTIuNC43L2xpYnJhcmllcy9s aWJsZGFwL3Rscy5jCTIwMDctMTItMjEgMTk6MzY6MDIuMDAwMDAwMDAwIC0wNTAwCkBAIC0zMDAs NiArMzAwLDcgQEAKIAkJZm9yIChpPTA7IGk8bl9jaXBoZXJzOyBpKyspIHsKIAkJCWlmICggIXN0 cm5jYXNlY21wKCBjaXBoZXJzW2ldLm5hbWUsIHB0ciwgbGVuICkpIHsKIAkJCQludW0rKzsKKwkJ CQlwdHIgPSBlbmQgKyAxOwogCQkJCWJyZWFrOwogCQkJfQogCQl9CkBAIC0zMzAsNiArMzMxLDcg QEAKIAkJCSAqIG9ubHkgYXBwZWFyIG9uY2UgaW4gZWFjaCBsaXN0LgogCQkJICovCiAJCQlpZiAo ICFzdHJuY2FzZWNtcCggY2lwaGVyc1tpXS5uYW1lLCBwdHIsIGxlbiApKSB7CisJCQkJcHRyID0g ZW5kICsgMTsKIAkJCQlmb3IgKGo9MDsgajxua3g7IGorKykKIAkJCQkJaWYgKCBreFtqXSA9PSBj aXBoZXJzW2ldLmt4ICkKIAkJCQkJCWJyZWFrOwo= ------=_Part_21408_16591909.1201783413748--
Date: Thu, 31 Jan 2008 07:46:07 -0500 From: "Kyle Moffett" <kyle@moffetthome.net> To: openldap-its@openldap.org, quanah@openldap.org Subject: Re: (ITS#5341) Invalid TLSCipherSuite causes hang
On Jan 31, 2008 7:43 AM, Kyle Moffett <kyle@moffetthome.net> wrote: > On Jan 31, 2008 12:29 AM, Kyle Moffett <kyle@moffetthome.net> wrote: > > I ran into this problem a little while ago and scribbled up the > > attached patch to fix it. It's trivial enough and it works in my > > testing here. > > Sorry, the patch seems to have gone out MIME-encoded and mostly > useless to people who want to download it from the bug-tracker. Let > me try again... (Sorry, still getting used to a new email client) Well damn, it still didn't work. Hopefully gmail won't mangle a pasted patch. Again, my apologies for the mess. Cheers, Kyle Moffett --- openldap-2.4.7/libraries/libldap/tls.c.orig 2007-12-21 19:24:08.000000000 -0500 +++ openldap-2.4.7/libraries/libldap/tls.c 2007-12-21 19:36:02.000000000 -0500 @@ -300,6 +300,7 @@ for (i=0; i<n_ciphers; i++) { if ( !strncasecmp( ciphers[i].name, ptr, len )) { num++; + ptr = end + 1; break; } } @@ -330,6 +331,7 @@ * only appear once in each list. */ if ( !strncasecmp( ciphers[i].name, ptr, len )) { + ptr = end + 1; for (j=0; j<nkx; j++) if ( kx[j] == ciphers[i].kx ) break;
Date: Fri, 1 Feb 2008 13:22:37 -0800 From: Steve Langasek <vorlon@debian.org> To: Kyle Moffett <kyle@moffetthome.net>, openldap-its@openldap.org Cc: 462588@bugs.debian.org Subject: Re: (ITS#5341) Invalid TLSCipherSuite causes hang
Hi Kyle, On Fri, Feb 01, 2008 at 12:15:52AM -0500, Kyle Moffett wrote: > On Jan 29, 2008 2:55 PM, Steve Langasek <vorlon@debian.org> wrote: > > On Tue, Jan 29, 2008 at 11:31:43AM -0800, Quanah Gibson-Mount wrote: > > > --On Tuesday, January 29, 2008 11:09 AM -0800 Steve Langasek <vorlon@debian.org> wrote: > > > > Anyway, the documented syntax for TLSCipherSuite is "$cipher1:$cipher2", > > > > not "$cipher1 $cipher2"; but setting such values gives me a hang on > > > > startup (which should be investigated). > > > Filed upstream: > > > <http://www.OpenLDAP.org/its/index.cgi?findid=5341> > > Sorry, the description of this ITS is inverted. It's *valid* ciphersuite > > values (i.e., "cipher1:cipher2") that cause the hang; invalid > > space-separated values are merely truncated after the first cipher in the > > list, which doesn't cause a hang, it just prevents the cipher list from > > being useful. > Steve, would you mind testing the patch I posted there? It fixed the > problem for me when I wrote it a month or two ago, hopefully it will > fix the problem for you too. Thanks, I can confirm this fixes the problem here. I'm able to set multiple ciphers in a TLSCipherSuite list, and able to connect appropriately with ldapsearch and gnutls-cli after the change. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ slangasek@ubuntu.com vorlon@debian.org
______________ © Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org
