Bug 828787

Summary: TLS error messages overwriting in tlsm_verify_cert()
Product: Red Hat Enterprise Linux 6 Reporter: Jan Vcelak <jvcelak>
Component: openldapAssignee: Jan Vcelak <jvcelak>
Status: CLOSED ERRATA QA Contact: David Spurek <dspurek>
Severity: low Docs Contact:
Priority: low    
Version: 6.3CC: dspurek, ebenes, fdewaley, jsynacek, jvcelak, rmeggins, tsmetana
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openldap-2.4.23-29.el6 Doc Type: Bug Fix
Doc Text:
Cause: Self-signed certificate without Basic Constraint Extension is used as a server TLS certificate. TLS client is configured to ignore any TLS certificate validation errors. Consequence: Client cannot connect to the server and a wrong message about missing Basic Constraint Extension is emitted. Fix: Patch applied to preserve the original TLS certificate validation error if Basic Constraint Extension is not found in the certificate. Result: Client can connect to the server, error message about untrusted certification authority which signed the server certificate is emitted, the connection will continue as expected.
 Story Points: ---
Clone Of: 810462 Environment:
Last Closed: 2013-02-21 09:45:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 810462    
Bug Blocks: 836160    

Description Jan Vcelak 2012-06-05 11:38:23 UTC 
+++ This bug was initially created as a clone of Bug #810462 +++

Description of problem:

Connecting to a server with self-signed certificate without basic constraint extension fails. This kind of error seems to stop connecting even if TLS_REQCERT=never is set.

Version-Release number of selected component (if applicable):
openldap-2.4.26-7.fc16


How reproducible:


Steps to Reproduce:
1.
generate self-signed server certificate with:
certutil -d . -S -x -n ldap -s "CN=server" -t TC,,
2.
setup permissions, setup slapd, setup client
3.
ldapsearch -x -ZZ -H ldap://server
  
Actual results:

TLS: certificate [CN=server] is not valid - CA cert is not valid
TLS: certificate [CN=server] is not valid - error -8172:Peer's certificate issuer has been marked as not trusted by the user..
TLS: error: connect - force handshake failure: errno 21 - moznss error -8157
TLS: can't connect: TLS error -8157:Certificate extension not found..
ldap_err2string
ldap_start_tls: Connect error (-11)
        additional info: TLS error -8157:Certificate extension not found.


Expected results:

successful connection


Additional info:

--- Additional comment from jvcelak on 2012-04-26 10:11:59 CEST ---

This is not right. My configuration was wrong, no certificates were available. But the error message is wrong, it is completely unrelated to the problem which happened.

The original error can was overwritten with the error from the report in tlsm_verify_cert(). While walking through the verification log, basic extension from the certificate is requested in case there is a SEC_ERROR_CA_CERT_INVALID error. If the extension is not a part of the certificate, the original error is overwritten.

PR_GetError() and PR_SetError() should fix that.

--- Additional comment from jvcelak on 2012-05-28 14:18:50 CEST ---

Created attachment 587230 [details]
proposed patch

Broken version:

$ ldapsearch -x -ZZ
ldap_start_tls: Connect error (-11)
        additional info: TLS error -8157:Certificate extension not found.

Fixed version:

$ ../_build/clients/tools/ldapsearch -x -ZZ
ldap_start_tls: Connect error (-11)
        additional info: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.

--- Additional comment from jvcelak on 2012-05-28 14:21:43 CEST ---

The patch fixes the issue with LDAPTLS_REQCERT=never as well.

--- Additional comment from jvcelak on 2012-06-05 11:54:31 CEST ---

Submitted upstream:
http://www.openldap.org/its/index.cgi?findid=7287

--- Additional comment from jvcelak on 2012-06-05 13:36:48 CEST ---

Committed upstream:
http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=dc3842f
Comment 5 Jan Vcelak 2012-09-25 16:10:23 UTC 
Resolved in: openldap-2.4.23-29.el6
Comment 7 Jan Vcelak 2012-10-22 07:24:32 UTC 
*** Bug 863456 has been marked as a duplicate of this bug. ***
Comment 10 errata-xmlrpc 2013-02-21 09:45:56 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0364.html