OpenLDAP
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

Viewing Software Bugs/5992
Full headers

From: mathias.gug@canonical.com
Subject: libldap with gnutls don't trust V1 CAs.
Compose comment
Download message
State:
0 replies:
2 followups: 1 2

Major security issue: yes  no

Notes:

Notification:


Date: Wed, 04 Mar 2009 23:20:59 +0000
From: mathias.gug@canonical.com
To: openldap-its@OpenLDAP.org
Subject: libldap with gnutls don't trust V1 CAs.
Full_Name: Mathias Gug
Version: 2.4.15
OS: Ubuntu Linux (Jaunty - 9.04)
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (64.56.226.136)


Starting with GnuTLS 2.6.3, V1 CA certs are no longer trusted by default when a
CA chain is checked. Thus libldap+gnutls breaks in existing environement when
one of the CA certs uses a V1 certificate. However libldap+openssl still
supports V1 certificates in the CA chain.

See https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/305264 for more
information.

Could libldap+gnutls be updated to also support V1 CA certificates to match
features provided by libldap+openssl?

To reproduce:

0. Need two versions of openldap : one compiled with gnutls, the other with
openssl.

1. Create a V1 CA.
2. Create a certificate to be used by slapd and sign it with the V1 CA.
3. Configure a slapd+openssl system with certificates issues above.
4. Try to connect to the slapd+openssl system with a libldap+gnutls client:

mathiaz@t-slapd-gnutls:~$ ldapsearch -b "dc=vmnet" -D "cn=admin,dc=vmnet" -x -w
mypwd -H ldaps://t-slapd-openssl./ -d 1
ldap_url_parse_ext(ldaps://t-slapd-openssl./)
ldap_create
ldap_url_parse_ext(ldaps://t-slapd-openssl.:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP t-slapd-openssl.:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 172.19.42.220:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: peer cert untrusted or revoked (0x82)
TLS: can't connect: (unknown error code).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

On a system with libldap+openssl:

mathiaz@t-slapd-openssl:~$ ldapsearch -b "dc=vmnet" -D "cn=admin,dc=vmnet" -x -w
mypwd -H ldaps://t-slapd-openssl./ 
# extended LDIF
#
# LDAPv3
# base <dc=vmnet> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# vmnet
dn: dc=vmnet
objectClass: top
objectClass: dcObject
objectClass: organization
o: vmnet
dc: vmnet

# admin, vmnet
dn: cn=admin,dc=vmnet
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: e2NyeXB0fWtlVHlnV1lleFBDWFU=

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2

$

ldapsearch is able to connect to the slapd+openssl server.

Followup 1

Download message
Date: Wed, 04 Mar 2009 19:01:16 -0800
From: Howard Chu <hyc@symas.com>
To: mathias.gug@canonical.com
CC: openldap-its@openldap.org
Subject: Re: (ITS#5992) libldap with gnutls don't trust V1 CAs.
mathias.gug@canonical.com wrote:
> Full_Name: Mathias Gug
> Version: 2.4.15
> OS: Ubuntu Linux (Jaunty - 9.04)
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (64.56.226.136)
>
>
> Starting with GnuTLS 2.6.3, V1 CA certs are no longer trusted by default
when a
> CA chain is checked. Thus libldap+gnutls breaks in existing environement
when
> one of the CA certs uses a V1 certificate. However libldap+openssl still
> supports V1 certificates in the CA chain.
>
> See https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/305264 for more
> information.
>
> Could libldap+gnutls be updated to also support V1 CA certificates to match
> features provided by libldap+openssl?

Just to be clear, are you requesting that libldap unconditionally call
gnutls_certificate_set_verify_flags() with GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT 
parameter?

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/



Followup 2

Download message
Date: Fri, 6 Mar 2009 17:45:14 -0500
From: Mathias Gug <mathiaz@ubuntu.com>
To: Howard Chu <hyc@symas.com>
Cc: openldap-its@openldap.org
Subject: Re: (ITS#5992) libldap with gnutls don't trust V1 CAs.
On Wed, Mar 04, 2009 at 07:01:16PM -0800, Howard Chu wrote:
> mathias.gug@canonical.com wrote:
>> Starting with GnuTLS 2.6.3, V1 CA certs are no longer trusted by
default when a
>> CA chain is checked. Thus libldap+gnutls breaks in existing
environement when
>> one of the CA certs uses a V1 certificate. However libldap+openssl
still
>> supports V1 certificates in the CA chain.
>>
>> See https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/305264 for
more
>> information.
>>
>> Could libldap+gnutls be updated to also support V1 CA certificates to
match
>> features provided by libldap+openssl?
>
> Just to be clear, are you requesting that libldap unconditionally call
> gnutls_certificate_set_verify_flags() with 
> GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT parameter?

Yes. The patch pushed in CVS works as expected. 

I agree that having an option to enable/disable the trust of V1 CA
certificates would be helpful.

-- 
Mathias Gug
Ubuntu Developer  http://www.ubuntu.com


Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest


The OpenLDAP Issue Tracking System uses a hacked version of JitterBug

______________
© Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org