[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#9176) libldap support for TLSv1.3 Encrypted SNI

To: openldap-its@OpenLDAP.org
Subject: (ITS#9176) libldap support for TLSv1.3 Encrypted SNI
From: ryan@openldap.org
Date: Fri, 21 Feb 2020 03:04:31 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

Full_Name: Ryan Tandy
Version: master
OS: Debian
URL: 
Submission from: (NULL) (70.66.128.207)
Submitted by: ryan


ldap.google.com requires clients to support SNI and sends back an intentionally
invalid certificate if it is not used. Affects libldap with both OpenSSL and
GnuTLS. (Might want a separate ITS for each fix.)

With OpenSSL:

$ ./clients/tools/ldapsearch -H ldaps://ldap.google.com -x -d1
ldap_url_parse_ext(ldaps://ldap.google.com)
ldap_create
ldap_url_parse_ext(ldaps://ldap.google.com:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap.google.com:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 216.239.32.58:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLS trace: SSL_connect:before SSL initialization
TLS trace: SSL_connect:SSLv3/TLS write client hello
TLS trace: SSL_connect:SSLv3/TLS write client hello
TLS trace: SSL_connect:SSLv3/TLS read server hello
TLS trace: SSL_connect:TLSv1.3 read encrypted extensions
TLS trace: SSL_connect:SSLv3/TLS read server certificate request
TLS certificate verification: depth: 0, err: 18, subject: /OU=No SNI provided;
please fix your client./CN=invalid2.invalid, issuer: /OU=No SNI provided; please
fix your client./CN=invalid2.invalid
TLS certificate verification: Error, self signed certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in error
TLS: can't connect: error:1416F086:SSL
routines:tls_process_server_certificate:certificate verify failed (self signed
certificate).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)


With GnuTLS:

$ ./clients/tools/ldapsearch -H ldaps://ldap.google.com -x -d1
ldap_url_parse_ext(ldaps://ldap.google.com)
ldap_create
ldap_url_parse_ext(ldaps://ldap.google.com:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap.google.com:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 216.239.32.58:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLS: peer cert untrusted or revoked (0x42)
TLS: can't connect: (unknown error code).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)


When the client does not support SNI, this server sends back a dummy
certificate:

OU = "No SNI provided; please fix your client.", CN = invalid2.invalid

which obviously does not validate. The same behaviour can be seen with "openssl
s_client -noservername" or "gnutls-cli --disable-sni".

For GnuTLS, we have to call gnutls_server_name_set(3) to enable SNI. The
documentation notes that it should only be called with a DNS name, not with an
IP address. I guess there's a corresponding call for OpenSSL.

With GnuTLS, users can work around it for the short term by disabling TLSv1.3
via priority string, i.e.:

LDAPTLS_CIPHER_SUITE='NORMAL:!VERS-TLS1.3' ./clients/tools/ldapsearch -H
ldaps://ldap.google.com -x

Not sure if the same can be done with OpenSSL.

Prev by Date: (ITS#9175) ldapsearch segfault
Next by Date: RE: RE: Re: (ITS#9017) Improving performance of commit sync in Windows
Index(es):
- Chronological
- Thread