Bug 609722
| Summary: | libldap ignores a directory of CA certificates if any of them can't be read | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Nalin Dahyabhai <nalin> | ||||||||
| Component: | openldap | Assignee: | Jan Vcelak <jvcelak> | ||||||||
| Status: | CLOSED ERRATA | QA Contact: | Ondrej Moriš <omoris> | ||||||||
| Severity: | medium | Docs Contact: | |||||||||
| Priority: | medium | ||||||||||
| Version: | 5.5 | CC: | bugzilla, dspurek, jplans, jvcelak, omoris, ovasik, tsmetana | ||||||||
| Target Milestone: | rc | ||||||||||
| Target Release: | --- | ||||||||||
| Hardware: | All | ||||||||||
| OS: | Linux | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | openldap-2.3.43-20.el5 | Doc Type: | Bug Fix | ||||||||
| Doc Text: |
- openldap client tool configured with TLSCA_CERTDIR, but some of the certificate files are not accessible
- the client tool will not establish TLS connection
- upstream fix applied to target this issue
- the client tool will establish the TLS connection to the server, even if some of the certificates in TLSCA_CERTDIR is inaccessible
|
Story Points: | --- | ||||||||
| Clone Of: | |||||||||||
| : | 811468 (view as bug list) | Environment: | |||||||||
| Last Closed: | 2012-02-21 05:26:50 UTC | Type: | --- | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Bug Depends On: | |||||||||||
| Bug Blocks: | 593242, 649048, 699652, 811468 | ||||||||||
| Attachments: |
|
||||||||||
Created attachment 432782 [details]
patch for 2.3.43
Attaching patch. The change is backported from OpenLDAP 2.4.19.
When initializing default TLS context, the whole list of certificate authorities is not loaded on client side. This doesn't break certificate validation, server certificate is validated as expected.
Created attachment 432783 [details]
patch for 2.2.29 (compat)
This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unfortunately unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux. Created attachment 518910 [details]
patch for 2.2.29 (compat) - update
Resolved in openldap-2.3.43-20.el5
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
New Contents:
- openldap client tool configured with TLSCA_CERTDIR, but some of the certificate files are not accessible
- the client tool will not establish TLS connection
- upstream fix applied to target this issue
- the client tool will establish the TLS connection to the server, even if some of the certificates in TLSCA_CERTDIR is inaccessible
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0155.html |
Description of problem: When the directory specified for the TLS_CACERTDIR setting in ldap.conf contains anything which can't be read, libldap ignores everything in the directory which could be read. Version-Release number of selected component (if applicable): openldap-2.3.43-12.el5 How reproducible: Always Steps to Reproduce: 1. Store CA certificate in /etc/openldap/cacerts and set up links with c_rehash 2. Use ldapsearch -ZZ to perform a TLS-encrypted search of the directory 3. Create a symlink to a non-existent file in /etc/openldap/cacerts 4. Try using ldapsearch -ZZ to perform a TLS-encrypted search of the directory again Actual results: The second run will fail. On my system, the error message I get is: ldap_start_tls: Connect error (-11) additional info: Start TLS request accepted.Server willing to negotiate SSL. Expected results: The second run should succeed. Additional info: It looks like libraries/libldap/tls.c's get_ca_list() option is throwing away any results returned by SSL_add_dir_cert_subjects_to_stack() when it returns a failure. The comments in OpenSSL's source indicate that some certificates may still be returned in this case, and using them would avoid this error.