[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#9014) OpenLDAP modifies user provided TLS certificate before sending it to client
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#9014) OpenLDAP modifies user provided TLS certificate before sending it to client
- From: hyc@symas.com
- Date: Wed, 24 Apr 2019 16:42:16 +0000
- Auto-submitted: auto-generated (OpenLDAP-ITS)
Siddharth Jain wrote:
> we have documented complete steps to repro the bug=A0here <https://gith=
ub.com/siddjain/openldap-bug>=A0with container logs.
I see no error here.
Using your cert/key files:
> ls -l /tmp/jnj
total 12
-rw-r--r-- 1 hyc hyc 1592 Apr 24 17:34 jnj-ca-chain.pem
-rw-r--r-- 1 hyc hyc 241 Apr 24 17:34 jnj-ldap-server-tls.key
-rw-r--r-- 1 hyc hyc 1111 Apr 24 17:34 jnj-ldap-server-tls.pem
###
With this slapd config
vielle:~/OD/hobj/tests> cat testrun/slapd.1.conf
include ./schema/core.schema
include ./schema/cosine.schema
include ./schema/inetorgperson.schema
include ./schema/openldap.schema
include ./schema/nis.schema
include ./testdata/test.schema
pidfile /home/hyc/OD/hobj/tests/testrun/slapd.1.pid
argsfile /home/hyc/OD/hobj/tests/testrun/slapd.1.args
sockbuf_max_incoming 4194303
TLSCAcertificatefile /tmp/jnj/jnj-ca-chain.pem
TLSCertificateFile /tmp/jnj/jnj-ldap-server-tls.pem
TLSCertificateKeyFile /tmp/jnj/jnj-ldap-server-tls.key
database mdb
suffix "dc=3Dexample,dc=3Dcom"
rootdn "cn=3DManager,dc=3Dexample,dc=3Dcom"
rootpw secret
directory /home/hyc/OD/hobj/tests/testrun/db.1.a
index objectClass eq
index cn,sn,uid pres,eq,sub
maxsize 33554432
database monitor
###
And this slapd invocation from the OpenLDAP build tree
vielle:~/OD/hobj/tests> ../servers/slapd/slapd -f testrun/slapd.1.conf -h=
ldaps://:9011 -s0 -d7
I get no verification error:
> openssl s_client -connect localhost:9011 -state -nbio -CAfile jnj-ca-ch=
ain.pem -showcerts
CONNECTED(00000005)
Turned on non blocking io
SSL_connect:before SSL initialization
SSL_connect:SSLv3/TLS write client hello
SSL_connect:error in SSLv3/TLS write client hello
write R BLOCK
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS read server hello
SSL_connect:TLSv1.3 read encrypted extensions
depth=3D2 C =3D US, ST =3D WA, L =3D Bellevue, O =3D Johnson & Johnson, C=
N =3D rca-jnj
verify return:1
depth=3D1 C =3D US, ST =3D WA, L =3D Bellevue, O =3D Johnson & Johnson, O=
U =3D client + OU =3D jnj, CN =3D rca-jnj-admin
verify return:1
depth=3D0 C =3D US, ST =3D WA, L =3D Bellevue, O =3D Johnson & Johnson, O=
U =3D client + OU =3D jnj, CN =3D jnj-ldap-server
verify return:1
SSL_connect:SSLv3/TLS read server certificate
SSL_connect:TLSv1.3 read server certificate verify
SSL_connect:SSLv3/TLS read finished
SSL_connect:SSLv3/TLS write change cipher spec
SSL_connect:SSLv3/TLS write finished
read R BLOCK
---
Certificate chain
0 s:C =3D US, ST =3D WA, L =3D Bellevue, O =3D Johnson & Johnson, OU =3D=
client + OU =3D jnj, CN =3D jnj-ldap-server
i:C =3D US, ST =3D WA, L =3D Bellevue, O =3D Johnson & Johnson, OU =3D=
client + OU =3D jnj, CN =3D rca-jnj-admin
-----BEGIN CERTIFICATE-----
MIIDBzCCAq2gAwIBAgIUcxrGrCSwJwlQhBEuKztfLgRrtygwCgYIKoZIzj0EAwIw
fjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMREwDwYDVQQHEwhCZWxsZXZ1ZTEa
MBgGA1UECgwRSm9obnNvbiAmIEpvaG5zb24xGzANBgNVBAsTBmNsaWVudDAKBgNV
BAsTA2puajEWMBQGA1UEAxMNcmNhLWpuai1hZG1pbjAeFw0xOTA0MjIxNzE0MDBa
Fw0yMDA0MjExNzE5MDBaMIGAMQswCQYDVQQGEwJVUzELMAkGA1UECBMCV0ExETAP
BgNVBAcTCEJlbGxldnVlMRowGAYDVQQKDBFKb2huc29uICYgSm9obnNvbjEbMA0G
A1UECxMGY2xpZW50MAoGA1UECxMDam5qMRgwFgYDVQQDEw9qbmotbGRhcC1zZXJ2
ZXIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARutu4G452HY8vYKJLw9VXmIuz+
X1XNNwyI6q7KzzwNmTwzWyHIVzxjqNTsTRqY0L0lLI1cko2LsIACqnJTed7yo4IB
BDCCAQAwDgYDVR0PAQH/BAQDAgOoMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
BQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTPS+Zc8+ZDmpVS9XerpVD1gYL7
cjAfBgNVHSMEGDAWgBTbr7PEPX6ZIN6APotjhLkd6hPeqDAaBgNVHREEEzARgg9q
bmotbGRhcC1zZXJ2ZXIwZQYIKgMEBQYHCAEEWXsiYXR0cnMiOnsiaGYuQWZmaWxp
YXRpb24iOiJqbmoiLCJoZi5FbnJvbGxtZW50SUQiOiJqbmotbGRhcC1zZXJ2ZXIi
LCJoZi5UeXBlIjoiY2xpZW50In19MAoGCCqGSM49BAMCA0gAMEUCIQDBbbexORUa
nrBJG8iSkADdOIW/ZOK7kbpLJ4x6GdTO8gIgfzOqW/9ZJKFM3PBls6bEVacoRLX9
AklAHxajASZK+UU=3D
-----END CERTIFICATE-----
1 s:C =3D US, ST =3D WA, L =3D Bellevue, O =3D Johnson & Johnson, OU =3D=
client + OU =3D jnj, CN =3D rca-jnj-admin
i:C =3D US, ST =3D WA, L =3D Bellevue, O =3D Johnson & Johnson, CN =3D=
rca-jnj
-----BEGIN CERTIFICATE-----
MIICQTCCAeegAwIBAgIUBU9O3Wb3BDS8YuWRLYaKClbA9ZcwCgYIKoZIzj0EAwIw
WzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMREwDwYDVQQHEwhCZWxsZXZ1ZTEa
MBgGA1UECgwRSm9obnNvbiAmIEpvaG5zb24xEDAOBgNVBAMTB3JjYS1qbmowHhcN
MTkwMjAxMjMxOTAwWhcNMjQwMTMxMjMyNDAwWjB+MQswCQYDVQQGEwJVUzELMAkG
A1UECBMCV0ExETAPBgNVBAcTCEJlbGxldnVlMRowGAYDVQQKDBFKb2huc29uICYg
Sm9obnNvbjEbMA0GA1UECxMGY2xpZW50MAoGA1UECxMDam5qMRYwFAYDVQQDEw1y
Y2Etam5qLWFkbWluMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEk4b8f5mWq+jf
iMKQBVI8uU7btAF/LSSdXoOXYPW8JyJ23v5wtwRiQ/g4Al/6aIchvAC4QhJRUnz0
DMKuI7GCp6NmMGQwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAw
HQYDVR0OBBYEFNuvs8Q9fpkg3oA+i2OEuR3qE96oMB8GA1UdIwQYMBaAFBGV3Han
Nf1T5i8fvDh239lt5W9DMAoGCCqGSM49BAMCA0gAMEUCIQD/4+AUOMBdofQEVsH2
2A6UGiJQvuplLEBA9in0cZTcCQIgcV5K+KCs3a5RNYUWdllakGx8c1f6ISrmk4an
gjeXphQ=3D
-----END CERTIFICATE-----
2 s:C =3D US, ST =3D WA, L =3D Bellevue, O =3D Johnson & Johnson, CN =3D=
rca-jnj
i:C =3D US, ST =3D WA, L =3D Bellevue, O =3D Johnson & Johnson, CN =3D=
rca-jnj
-----BEGIN CERTIFICATE-----
MIIB/TCCAaOgAwIBAgIUSsxdq02aJCyaIHkIRxRdKvWYG9swCgYIKoZIzj0EAwIw
WzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMREwDwYDVQQHEwhCZWxsZXZ1ZTEa
MBgGA1UECgwRSm9obnNvbiAmIEpvaG5zb24xEDAOBgNVBAMTB3JjYS1qbmowHhcN
MTkwMjAxMjExNDAwWhcNMzQwMTI4MjExNDAwWjBbMQswCQYDVQQGEwJVUzELMAkG
A1UECBMCV0ExETAPBgNVBAcTCEJlbGxldnVlMRowGAYDVQQKDBFKb2huc29uICYg
Sm9obnNvbjEQMA4GA1UEAxMHcmNhLWpuajBZMBMGByqGSM49AgEGCCqGSM49AwEH
A0IABCF30Cn+O5sD/9n6d3IQQEGiceCTD7gG/5t4dHR4xmvm84HNgRngGKGF4fny
6BXkPSyDguP+L5zozdWDb8dWTQejRTBDMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMB
Af8ECDAGAQH/AgEBMB0GA1UdDgQWBBQRldx2pzX9U+YvH7w4dt/ZbeVvQzAKBggq
hkjOPQQDAgNIADBFAiEAkCQcOP+PmyVIMgr/cUsk04qH8lXYO4DqDuH1WSNvGfEC
IBZQGRehpZ604FgkD0YqmiGRV/OzU99em0g3jkmWJbJY
-----END CERTIFICATE-----
---
Server certificate
subject=3DC =3D US, ST =3D WA, L =3D Bellevue, O =3D Johnson & Johnson, O=
U =3D client + OU =3D jnj, CN =3D jnj-ldap-server
issuer=3DC =3D US, ST =3D WA, L =3D Bellevue, O =3D Johnson & Johnson, OU=
=3D client + OU =3D jnj, CN =3D rca-jnj-admin
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2254 bytes and written 391 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
SSL_connect:SSL negotiation finished successfully
SSL_connect:SSL negotiation finished successfully
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 4E6019F281D63D69D1C800DF4D2441CC918FF4A3AFA8A0A6D6D05FFB5=
44E91F2
Session-ID-ctx:
Resumption PSK: A00E7F64B5EA00718122A6F34EF0EC9167F437BDB832D9C64834D=
18F367E8AD2AD5F9BCF9649330D321DC19D0AB49882
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - ea 7e 5b e0 3d 6f 9f 49-78 07 f5 c0 da 78 58 90 .~[.=3Do.Ix.=
...xX.
0010 - 00 78 10 a6 94 fb 36 96-f9 8b 17 53 8b 27 14 b5 .x....6....S=
.'..
0020 - 5d 2d 28 3b db 26 71 44-65 c3 43 d6 8e e8 46 a8 ]-(;.&qDe.C.=
..F.
0030 - 05 8a 34 57 c0 42 71 03-4f 70 ad 20 07 74 fc 94 ..4W.Bq.Op. =
.t..
0040 - e8 e4 9d 89 d0 45 db 2c-62 4a 28 b6 31 f9 3f af .....E.,bJ(.=
1.?.
0050 - 46 7c f7 f8 9f b1 0b 7c-ea 70 a1 f0 4c 2f 62 0a F|.....|.p..=
L/b.
0060 - e3 e9 83 47 0e f2 e5 71-a5 0c ba 2a 8d 7d f8 e2 ...G...q...*=
.}..
0070 - 21 84 1a 1a 86 4f 02 0a-4c 9a 17 77 af 9e 64 1f !....O..L..w=
..d.
0080 - 72 c5 e5 45 d1 bb 92 0a-ae fe e9 b1 bc 46 7d 13 r..E........=
.F}.
0090 - aa 2b 9b c1 3d 92 8b 1d-08 6c 11 12 a0 b7 c8 a3 .+..=3D....l=
......
00a0 - b2 bb 2b d9 bd 70 86 0d-91 45 5c 23 b6 b0 6a 3a ..+..p...E\#=
..j:
00b0 - 61 1d 3a c1 4a 36 48 b4-b3 03 a9 8b 41 94 fd 67 a.:.J6H.....=
A..g
00c0 - 53 a6 03 a4 ab c6 a0 7e-e9 39 98 a8 c9 01 bc c0 S......~.9..=
....
Start Time: 1556123794
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
SSL_connect:SSLv3/TLS read server session ticket
read R BLOCK
SSL_connect:SSL negotiation finished successfully
SSL_connect:SSL negotiation finished successfully
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: A7B81922756F8F5B986C7B38E0F29399F8127F52D042EB7D0DCEDB8D4=
CD577B5
Session-ID-ctx:
Resumption PSK: 5FDD5DF642126A4F04D05EBBECDBB92BBCBAB6A7E05051224D646=
693BBD0B964C039185F933442D400BBCBC92A832913
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - ea 7e 5b e0 3d 6f 9f 49-78 07 f5 c0 da 78 58 90 .~[.=3Do.Ix.=
...xX.
0010 - d3 10 28 b9 01 6b 4b 92-1e 3e ae 3b 7f 4e cc 6c ..(..kK..>.;=
.N.l
0020 - 19 d3 0b ac 9c b9 21 4d-ed 78 2c 35 d3 03 ba 11 ......!M.x,5=
....
0030 - 22 59 1c 0d 91 a5 da 93-a0 0a 54 88 aa 81 be 89 "Y........T.=
....
0040 - e0 2e 74 71 8e c8 fd f7-9d 5c 99 15 42 23 47 cf ..tq.....\..=
B#G.
0050 - 0d 56 97 10 f3 f8 02 fe-69 65 e6 1c fa 7d 96 fe .V......ie..=
.}..
0060 - 86 d2 c2 64 2c 6e 96 3d-14 e2 87 47 91 69 ef df ...d,n.=3D..=
.G.i..
0070 - 14 d5 75 0d ff da 61 04-26 56 5d 8b d3 4d 2d 2d ..u...a.&V].=
.M--
0080 - 78 fa 65 6d ad ef 15 ba-14 45 f0 ba a6 85 fb 95 x.em.....E..=
....
0090 - dc e5 9b 1c ac e4 66 de-c2 6e 3f e7 1e 47 09 25 ......f..n?.=
.G.%
00a0 - 89 b0 c3 c0 4c 93 64 de-23 3e 58 67 ae f3 7e e4 ....L.d.#>Xg=
..~.
00b0 - d5 af 4d 31 40 24 87 da-ec e7 3f 8a 48 b5 9d 23 ..M1@$....?.=
H..#
00c0 - d4 53 01 fa 18 39 79 0f-9b 9c ea ed 71 63 c5 2f .S...9y.....=
qc./
Start Time: 1556123794
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
SSL_connect:SSLv3/TLS read server session ticket
read R BLOCK
SSL3 alert read:warning:close notify
closed
SSL3 alert write:warning:close notify
vielle:/home/software/openldap-bug>
###
There is no OpenLDAP bug here. Your server environment is broken.
--=20
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/