[Date Prev][Date Next] [Chronological] [Thread] [Top]
(ITS#7206) ldaprc: TLS_REQCERT demand does not terminate session, if a bad certicate comes from the server

To: openldap-its@OpenLDAP.org
Subject: (ITS#7206) ldaprc: TLS_REQCERT demand does not terminate session, if a bad certicate comes from the server
From: mkeller@psi.de
Date: Wed, 14 Mar 2012 08:07:28 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)
Full_Name: Michael Keller
Version: 2.4.20
OS: SLES 11 SP1
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (95.131.98.154)


I have configured slapd to accept only TLS connections with:

security ssf=1 update_ssf=112 simple_bind=64

A ldapsearch -x returns correctly a
"# search result
search: 2
result: 13 Confidentiality required
text: confidentiality required"

When using TLS_REQCERT=demand a
ldapsearch -x -Z still returns results, even if a bad certificate comes from the
server. See debug output below. 
ldapsearch -x -Z

ldap_start_tls: Connect error (-11)
	additional info: TLS: hostname does not match CN in peer certificate
# extended LDIF
#
# LDAPv3
# base <dc=ee,dc=psi> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# ee.psi
dn: dc=ee,dc=psi
objectClass: dcObject
objectClass: organization
dc: ee
o: PSI-EE

# People, ee.psi
dn: ou=People,dc=ee,dc=psi
ou: People
objectClass: top
objectClass: organizationalUnit

# Group, ee.psi
dn: ou=Group,dc=ee,dc=psi
ou: Group
objectClass: top
objectClass: organizationalUnit

# search result
search: 3
result: 0 Success

# numResponses: 4
# numEntries: 3


Only when using "-ZZ" the connection isn't established. But the man page stated,
that the connection is terminated immediatly if a bad certificate is supplied
("ldap_start_tls returns with an error).
I think with "TLS_REQCERT demand" and a bad certificate the connection should be
terminated even if just a "-Z" is used. At the moment the behaviour is the same
for TLS_REQCERT = allow|try|demand

Debug output:
ldap_msgfree
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 2, err: 0, subject:
/DC=psi/DC=ee/ST=Germany/O=PSI AG/OU=EE/CN=ee-caroot.ee.psi, issuer:
/DC=psi/DC=ee/ST=Germany/O=PSI AG/OU=EE/CN=ee-caroot.ee.psi
TLS certificate verification: depth: 1, err: 0, subject:
/DC=psi/DC=ee/ST=Germany/L=Aschaffenburg/O=PSI
AG/OU=EE/CN=EE-SigningCA@ldap-srv11, issuer: /DC=psi/DC=ee/ST=Germany/O=PSI
AG/OU=EE/CN=ee-caroot.ee.psi
TLS certificate verification: depth: 0, err: 0, subject:
/DC=psi/DC=ee/ST=Germany/L=Aschaffenburg/O=PSI AG/OU=EE/CN=ldap-srv11.ee.psi,
issuer: /DC=psi/DC=ee/ST=Germany/L=Aschaffenburg/O=PSI
AG/OU=EE/CN=EE-SigningCA@ldap-srv11
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server certificate request A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client certificate A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL_connect:SSLv3 read finished A
TLS: hostname (ldap-srv11) does not match common name in certificate
(ldap-srv11.ee.psi).
ldap_err2string
ldap_start_tls: Connect error (-11)
	additional info: TLS: hostname does not match CN in peer certificate
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 14 bytes to sd 3
ldap_result ld 0x615150 msgid 2
wait4msg ld 0x615150 msgid 2 (infinite timeout)
wait4msg continue ld 0x615150 msgid 2 all 1
** ld 0x615150 Connections:
* host: ldap-srv11  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Wed Mar 14 08:49:55 2012


** ld 0x615150 Outstanding Requests:
 * msgid 2,  origid 2, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x615150 request count 1 (abandoned 0)
** ld 0x615150 Response Queue:
   Empty
  ld 0x615150 response count 0
ldap_chkResponseList ld 0x615150 msgid 2 all 1
ldap_chkResponseList returns ld 0x615150 NULL
ldap_int_select
read1msg: ld 0x615150 msgid 2 all 1
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x615150 msgid 2 message type bind
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x615150 0 new referrals
read1msg:  mark request completed, ld 0x615150 msgid 2
request done: ld 0x615150 msgid 2
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_search_ext
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 51 bytes to sd 3
ldap_result ld 0x615150 msgid -1
wait4msg ld 0x615150 msgid -1 (infinite timeout)
wait4msg continue ld 0x615150 msgid -1 all 0
** ld 0x615150 Connections:
* host: ldap-srv11  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Wed Mar 14 08:49:55 2012


** ld 0x615150 Outstanding Requests:
 * msgid 3,  origid 3, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x615150 request count 1 (abandoned 0)
** ld 0x615150 Response Queue:
   Empty
  ld 0x615150 response count 0
ldap_chkResponseList ld 0x615150 msgid -1 all 0
ldap_chkResponseList returns ld 0x615150 NULL
ldap_int_select
read1msg: ld 0x615150 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 89 contents:
read1msg: ld 0x615150 msgid 3 message type search-entry
ldap_get_dn_ber
ber_scanf fmt ({ml{) ber:
ldap_dn2ufn
ldap_dn_normalize
ber_scanf fmt ({xx) ber:
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
ldap_get_attribute_ber
ldap_msgfree
ldap_result ld 0x615150 msgid -1
wait4msg ld 0x615150 msgid -1 (infinite timeout)
wait4msg continue ld 0x615150 msgid -1 all 0
** ld 0x615150 Connections:
* host: ldap-srv11  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Wed Mar 14 08:49:55 2012


** ld 0x615150 Outstanding Requests:
 * msgid 3,  origid 3, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x615150 request count 1 (abandoned 0)
** ld 0x615150 Response Queue:
   Empty
  ld 0x615150 response count 0
ldap_chkResponseList ld 0x615150 msgid -1 all 0
ldap_chkResponseList returns ld 0x615150 NULL
ldap_int_select
read1msg: ld 0x615150 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 89 contents:
read1msg: ld 0x615150 msgid 3 message type search-entry
ldap_get_dn_ber
ber_scanf fmt ({ml{) ber:
ldap_dn2ufn
ldap_dn_normalize
ber_scanf fmt ({xx) ber:
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
ldap_get_attribute_ber
ldap_msgfree
ldap_result ld 0x615150 msgid -1
wait4msg ld 0x615150 msgid -1 (infinite timeout)
wait4msg continue ld 0x615150 msgid -1 all 0
** ld 0x615150 Connections:
* host: ldap-srv11  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Wed Mar 14 08:49:55 2012


** ld 0x615150 Outstanding Requests:
 * msgid 3,  origid 3, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x615150 request count 1 (abandoned 0)
** ld 0x615150 Response Queue:
   Empty
  ld 0x615150 response count 0
ldap_chkResponseList ld 0x615150 msgid -1 all 0
ldap_chkResponseList returns ld 0x615150 NULL
ldap_int_select
read1msg: ld 0x615150 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 87 contents:
read1msg: ld 0x615150 msgid 3 message type search-entry
ldap_get_dn_ber
ber_scanf fmt ({ml{) ber:
ldap_dn2ufn
ldap_dn_normalize
ber_scanf fmt ({xx) ber:
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
ldap_get_attribute_ber
ldap_msgfree
ldap_result ld 0x615150 msgid -1
wait4msg ld 0x615150 msgid -1 (infinite timeout)
wait4msg continue ld 0x615150 msgid -1 all 0
** ld 0x615150 Connections:
* host: ldap-srv11  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Wed Mar 14 08:49:55 2012


** ld 0x615150 Outstanding Requests:
 * msgid 3,  origid 3, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x615150 request count 1 (abandoned 0)
** ld 0x615150 Response Queue:
   Empty
  ld 0x615150 response count 0
ldap_chkResponseList ld 0x615150 msgid -1 all 0
ldap_chkResponseList returns ld 0x615150 NULL
ldap_int_select
read1msg: ld 0x615150 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x615150 msgid 3 message type search-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x615150 0 new referrals
read1msg:  mark request completed, ld 0x615150 msgid 3
request done: ld 0x615150 msgid 3
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 3, msgid 3)
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_err2string
ldap_msgfree
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 3
TLS trace: SSL3 alert write:warning:close notify
ldap_free_connection: actually freed
Prev by Date: (ITS#7205) olcSuffix does not support modifications
Next by Date: Re: (ITS#7206) ldaprc: TLS_REQCERT demand does not terminate session, if a bad certicate comes from the server
Index(es):
- Chronological
- Thread