Bug 137581
| Summary: | ldap_start_tls() doesn't fail gracefully | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 3 | Reporter: | John Haxby <jch> |
| Component: | openldap | Assignee: | Jan Safranek <jsafrane> |
| Status: | CLOSED WONTFIX | QA Contact: | Jay Turner <jturner> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 3.0 | CC: | mitr, srevivo |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i686 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2007-10-19 19:15:16 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
This affects also current devel (openldap 2.2.23-4), but not FC3 (openldap-2.2.13-2) This bug is filed against RHEL 3, which is in maintenance phase. During the maintenance phase, only security errata and select mission critical bug fixes will be released for enterprise products. Since this bug does not meet that criteria, it is now being closed. For more information of the RHEL errata support policy, please visit: http://www.redhat.com/security/updates/errata/ If you feel this bug is indeed mission critical, please contact your support representative. You may be asked to provide detailed information on how this bug is affecting you. |
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.7.2) Gecko/20040806 Description of problem: It should be possible to issue ldap_start_tls_s() against an OpenLDAP server that is not configured for TLS and simply have TLS not be negotiated. Unfortunately, this is not the case: the connection to the LDAP server becomes unusable. You can test this quite easily with ldapsearch: Version-Release number of selected component (if applicable): openldap-2.0.27-17 How reproducible: Always Steps to Reproduce: 1. Install openldap and make sure that the TLS lines are commented out in /etc/openldap/slapd.conf 2. Start the ldap server 3. Run, for example, "ldapsearch -Zxh localhost objectclass=*" Actual Results: Instead of getting something, anything, back from the LDAP server you get an error like this: ldap_start_tls: Connect error additional info: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure ldap_bind: Can't contact LDAP server additional info: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure Expected Results: An indication that TLS cannot be negotiated, and then carry on without TLS. The "-ZZ" option for ldapsearch requires that TLS is negotiated. Additional info: Another completely different implementation of an LDAP server that doesn't support TLS at all works just fine: "ldapsearch -Z" reports that TLS couldn't be negotiated, but the search carries on.