Bug 1027613 - tls_reqcert try has bad behavior
Summary: tls_reqcert try has bad behavior
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: openldap
Version: 7.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Jan Synacek
QA Contact: Eduard Benes
URL:
Whiteboard:
Depends On:
Blocks: 1027618 1027796
TreeView+ depends on / blocked
 
Reported: 2013-11-07 08:34 UTC by David Spurek
Modified: 2015-03-05 13:35 UTC (History)
3 users (show)

Fixed In Version: openldap-2.4.39-5.el7
Doc Type: Bug Fix
Doc Text:
Cause: Confusing description in the manual page. Consequence: The user might be confused about the real behavior. Fix: Fix the description in the man page. Result: The man page description is now correct.
Clone Of:
: 1027618 1027796 (view as bug list)
Environment:
Last Closed: 2015-03-05 13:35:25 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
OpenLDAP ITS 7744 0 None None None Never
Red Hat Product Errata RHBA-2015:0597 0 normal SHIPPED_LIVE openldap bug fix and enhancement update 2015-03-05 17:20:57 UTC

Description David Spurek 2013-11-07 08:34:04 UTC 
Description of problem:
'tls_reqcert try' option has bad behavior on client side. It should allow connection if certificate is not specified.

man page says:
try    The  server  certificate  is requested. If no cer‐
     tificate is provided, the  session  proceeds  nor‐
     mally.  If a bad certificate is provided, the ses‐
     sion is immediately terminated.

Version-Release number of selected component (if applicable):
openldap-2.4.35-6.el7

How reproducible:
always

Steps to Reproduce:
1.Setup ldap server with certificates
2.remove all TLS_CACERT and TLS_CACERTDIR from /etc/openldap/ldap.conf
3.set TLS_REQCERT try to /etc/openldap/ldap.conf
4. try ldapsearch -ZZ -x -H ldap://<server_name> '*'

Actual results:
ldapsearch fail:
ldap_start_tls: Connect error (-11)
	additional info: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.


Expected results:
ldapsearch should pass

Additional info:
Comment 1 David Spurek 2013-11-07 08:37:52 UTC 
if TLS_REQCERT allow is set then ldapsearch pass. TLS_REQCERT try and allow should have the same behavior in case if no ca cert is specified (according to description in man ldap.conf).
Comment 2 Jan Synacek 2013-11-12 08:52:24 UTC 
First observation: TLS_REQCERT has no effect if you use ldapsearch with -Z[Z]. This probably works as it should, see http://www.openldap.org/its/index.cgi?findid=7206.
Comment 3 Jan Synacek 2013-11-12 10:01:28 UTC 
I couldn't configure the server so it "provides no certificate" and connect to it using the ldapsearch client.

The manpage is talking about server certificates, TLS_CACERT and TLS_CACERTDIR are CA certificates that the client should use, therefore removing them is not relevant.
Comment 4 Jan Synacek 2013-11-13 11:42:45 UTC 
Upstream discussion at http://www.openldap.org/lists/openldap-technical/201311/msg00099.html.

Conclusion: the manpage should be fixed.
Comment 14 errata-xmlrpc 2015-03-05 13:35:25 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0597.html
Note You need to log in before you can comment on or make changes to this bug.