[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#8675) tools continuing after ldap_start_tls_ returns non-LDAP error

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#8675) tools continuing after ldap_start_tls_ returns non-LDAP error
From: hyc@symas.com
Date: Fri, 16 Jun 2017 14:25:28 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

kurt@openldap.org wrote:
> Full_Name: Kurt Zeilenga
> Version: most every
> OS: MacOS
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (2001:470:f052:8000:7cca:294:b2d:2652)
>
>
> The client tools were designed to support optimistic encryption (-Z)...  in
> cases where the server says "yes, let's start TLS...", TLS negotiations must be
> entered into and, if they fail, no further LDAP traffic should be allowed on the
> stream. Upon TLS alert, the session should no longer usable.  Further attempts
> to send any PDU should fail.

I guess this was never stated clearly. "-ZZ" meant require TLS, drop the 
session if TLS fails. "-Z" meant proceed if TLS fails. No one ever specified 
exactly what types of failures were intended in either situation.
>
> But one could argue that the bug is simply the LDAP application software
> ignoring the local (non-LDAP) errors coming from ldap_start_tls_s().  In this
> case, the following trivial patch would address the issue.
>
> diff --git a/clients/tools/common.c b/clients/tools/common.c
> index 7f758cb..089dd9b 100644
> --- a/clients/tools/common.c
> +++ b/clients/tools/common.c
> @@ -1367,7 +1367,7 @@ dnssrv_free:;
>                                 ldap_get_option( ld,
> LDAP_OPT_DIAGNOSTIC_MESSAGE, (void*)&msg);
>                                 tool_perror( "ldap_start_tls", rc, NULL, NULL,
> msg, NULL );
>                                 ldap_memfree(msg);
> -                           if ( use_tls > 1 ) {
> +                         if ( use_tls > 1 || rc < 0) {
>                                         tool_exit( ld, EXIT_FAILURE );
>                                 }
>                         }
>
> However, it might be better to do something at a lower level to ensure that all
> subsequent attempts to send LDAP PDUs over the wire after a TLS Alert fail.
>
> I hereby place the above patch into the public domain.
>
>


-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Prev by Date: (ITS#8675) tools continuing after ldap_start_tls_ returns non-LDAP error
Next by Date: Re: (ITS#6077) Spurious uniqueness errors with filters in unique overlays
Index(es):
- Chronological
- Thread