[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6838) TLS client will not accept certificate for 'localhost'

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#6838) TLS client will not accept certificate for 'localhost'
From: andrew.findlay@skills-1st.co.uk
Date: Fri, 18 Feb 2011 12:17:17 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

On Fri, Feb 18, 2011 at 12:30:25AM +0000, hyc@symas.com wrote:

> Used to work - since when, what release, what else has changed since then? 

Unfortunately I cannot tell you exactly when this changed. In any case,
the change only affects a different bug which was masking the problem
that I now see.

I do know that 2.3.32 as shipped with SLES 10.3 masks the problem by
not checking the server certificate properly. So does 2.4.12 as shipped
with OpenSuSE 11.1. Both will allow ldapsearch -ZZ to connect to *any*
TLS-capable server if they do *not* have access to the CA certificate.

2.4.24 built on OpenSuSE 11.3 (i.e. using OpenSSL 1.0) correctly refuses
to connect if there is no CA cert.

All versions that I have tested (certainly back to 2.3.32) incorrectly
fail to connect when the URL is ldap://localhost:1389/ and a CA cert is
provided.

> I'll note that I just tested some localhost certs a few days ago and they were 
> fine, and the cert verification code hasn't changed in quite a long time.
> 
> (E.g., ITS#6711 the test setup there uses localhost with no problem.)

Hmm - that seems to be server-to-server. My problem is with the client
tools, so maybe a different code-path is used.

I have put a small test case here:
	ftp://ftp.openldap.org/incoming/afindlay-localhost-tls-test-20110218.tgz

The server cert is valid for 'localhost' and also for '127.0.0.1'

The tests are:

        sh 1-plain
                Plain LDAP connection - no problems
                Connects to ldap://localhost:1389/

        sh 2-tls-no-ca
                With TLS but client has no access to the CA cert so this should fail
                with a complaint about 'self-signed certificate'

        sh 3-tls-with-ca
                With TLS and access to the CA cert.
                Connects to ldap://localhost:1389/
                This should succeed but it does not.

        sh 4-tls-with-ca-numeric
                With TLS and access to the CA cert.
                This one uses ldap://127.0.0.1:1389/ and succeeds.

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------

Prev by Date: Re: (ITS#6839) Expanded documentation for ldapi: and SASL EXTERNAL
Next by Date: Re: (ITS#6838) TLS client will not accept certificate for 'localhost'
Index(es):
- Chronological
- Thread