lib/53675: ldaps appears to be broken

To: lib-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: lib/53675: ldaps appears to be broken
From: brad%anduin.eldar.org@localhost
Date: Thu, 18 Oct 2018 23:55:00 +0000 (UTC)

>Number:         53675
>Category:       lib
>Synopsis:       ldaps appears to be broken
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    lib-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Oct 18 23:55:00 +0000 2018
>Originator:     brad%anduin.eldar.org@localhost
>Release:        NetBSD 8.99.25
>Organization:
	Eldar.org
>Environment:
System: NetBSD localhost 8.99.25 NetBSD 8.99.25 (XEN3_DOMU) #0: Mon Oct  8 20:54:57 EDT 2018  brad%samwise.nat.eldar.org@localhost:/lhome/DIST/OBJ/sys/arch/amd64/compile/XEN3_DOMU amd64
Architecture: x86_64
Machine: amd64
>Description:

Somewhere between 8.0 and -current, ldaps appears to have broken.  Non TLS connections work fine.

>How-To-Repeat:

The server is an OpenLDAP server version 2.4.45 from pkgsrc running on
NetBSD 7.1_STABLE.  The certificate is a real cert from Let's Encrypt.
The client is simply ldapsearch from the base system.  The server is
pretty generous in the versions of SSL/TLS it supports for LDAP.

A working example:

ldapsearch -H 'ldaps://ldap.something.com' -D 'uid=nssread,ou=Internal,dc=something,dc=com' -w 'NONONONONONONONONONO' -b 'dc=something,dc=com' 'uid=brad'

produces the desired node and the server says:

<20.7>Oct 18 19:35:33 ldap.something.com slapd[10386]: conn=116750 fd=73 ACCEPT from IP=10.1.100.235:65534 (IP=0.0.0.0:636) 
<20.7>Oct 18 19:35:33 ldap.something.com slapd[10386]: conn=116750 fd=73 TLS established tls_ssf=256 ssf=256 
<20.7>Oct 18 19:35:33 ldap.something.com slapd[10386]: conn=116750 op=0 BIND dn="uid=nssread,ou=Internal,dc=something,dc=com" method=128 
<20.7>Oct 18 19:35:33 ldap.something.com slapd[10386]: conn=116750 op=0 BIND dn="uid=nssread,ou=Internal,dc=something,dc=com" mech=SIMPLE ssf=0 


A not working example:

ldapsearch -H 'ldaps://ldap.something.com' -D 'uid=nssread,ou=Internal,dc=something,dc=com' -w 'NONONONONONONONONONO' -b 'dc=something,dc=com' 'uid=brad'

produces the following error:

ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

ldapsearch will often produce this error for a lot of reasons.  The server says:

<20.7>Oct 18 19:38:48 ldap.something.com slapd[10386]: conn=116761 fd=77 ACCEPT from IP=10.1.100.6:65534 (IP=0.0.0.0:636) 
<20.7>Oct 18 19:38:48 ldap.something.com slapd[10386]: conn=116761 fd=77 closed (TLS negotiation failure) 


An annoying thing is that openssl s_client -connect ... from the
-current system manages to work fine in establishing a simple TLS
connection.

>Fix:

Don't know, but I can help debug the issue.

Prev by Date: NetBSD Nightly Trouble Ticket Report
Next by Date: lib/53676: lib/libcurses/t_curses/background test case fails
Previous by Thread: kern/53674: kASAN: Unauthorized Access in file_ctor
Next by Thread: Re: lib/53675: ldaps appears to be broken
Indexes:

Home | Main Index | Thread Index | Old Index