[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#5667) Problem in the startTLS Command processing

To: openldap-its@OpenLDAP.org
Subject: (ITS#5667) Problem in the startTLS Command processing
From: john.w.clark@hp.com
Date: Fri, 22 Aug 2008 21:53:47 GMT

Full_Name: 
Version: 2.3.36 and earlier and I assume also later
OS: Red Hat Enterprise Linux 4.5
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (15.203.233.75)


This problem was previously described one the openLDAP websiste at: 

http://www.openldap.org/lists/openldap-bugs/200405/msg00096.html

The described fix is not included in release 2.3.36 and I assume that it has not
been included in later releases either.

The probem is with the response to the 'startTLS' command in the 'slapd' server.


Here is an excerpt from the write up at the above URL:

**************************************************************
Having fixed described above we came across another issues which concerns
TLS extended operation response.

As RFC2830 states:

...
   A Start TLS extended response MUST contain a responseName field which
   MUST be set to the same string as that in the responseName field
   present in the Start TLS extended request.
...

Unfortunately OpenLDAP server doesn't return the 'responseName' field. This
defect may prevent other LDAP APIs from understanding the response of
OpenLDAP servers. For instance, Microsoft LDAP API doesn't accept the
response without this field. We suggest to add the responseName field to the
response. This is also a trivial one:

rs->sr_rspoid = SLAP_STRDUP(LDAP_EXOP_START_TLS);

before 'rc = LDAP_SUCCESS;' in starttls_extop() function (starttls.c).

3. Patch

Unfortunately didn't manage to get access to the /incoming FTP folder
despite the fact I used my email as password. So here is a patch for both
problems:

=============
--- orig/starttls.c	2004-01-01 21:15:32.000000000 +0200
+++ fixed/starttls.c	2004-05-27 14:14:54.000000000 +0300
@@ -94,6 +94,8 @@
     op->o_conn->c_is_tls = 1;
     op->o_conn->c_needs_tls_accept = 1;
 
+    rs->sr_rspoid = SLAP_STRDUP(LDAP_EXOP_START_TLS);
+
     rc = LDAP_SUCCESS;
 
 done:
=============

Looking forward for your comments...

Sincerely yours,

Kirill Kovalenko
Softerra LLC
************************************************************


Thanks and Regards,
John Clark

john.w.clark@hp.com
Sr. Software Engineer
Hewlett-Packard
Atalla Security Products

Prev by Date: Re: (ITS#5662) Comments in schema declarations separated by semicolon
Next by Date: Re: (ITS#5667) Problem in the startTLS Command processing
Index(es):
- Chronological
- Thread