Bug 1027796 - tls_reqcert try has bad behavior
tls_reqcert try has bad behavior
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: openldap (Show other bugs)
6.5
Unspecified Unspecified
medium Severity medium
: rc
: ---
Assigned To: Jan Synacek
Patrik Kis
: ManPageChange
Depends On: 1027613
Blocks: 1027618
  Show dependency treegraph
 
Reported: 2013-11-07 07:18 EST by David Spurek
Modified: 2015-03-02 00:28 EST (History)
5 users (show)

See Also:
Fixed In Version: openldap-2.4.39-6.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1027613
Environment:
Last Closed: 2014-10-14 00:58:05 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Spurek 2013-11-07 07:18:12 EST
The same problem on rhel 6, tested with openldap-2.4.23-32.el6_4.1
+++ This bug was initially created as a clone of Bug #1027613 +++

Description of problem:
'tls_reqcert try' option has bad behavior on client side. It should allow connection if certificate is not specified.

man page says:
try    The  server  certificate  is requested. If no cer‐
     tificate is provided, the  session  proceeds  nor‐
     mally.  If a bad certificate is provided, the ses‐
     sion is immediately terminated.

Version-Release number of selected component (if applicable):
openldap-2.4.35-6.el7

How reproducible:
always

Steps to Reproduce:
1.Setup ldap server with certificates
2.remove all TLS_CACERT and TLS_CACERTDIR from /etc/openldap/ldap.conf
3.set TLS_REQCERT try to /etc/openldap/ldap.conf
4. try ldapsearch -ZZ -x -H ldap://<server_name> '*'

Actual results:
ldapsearch fail:
ldap_start_tls: Connect error (-11)
	additional info: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.


Expected results:
ldapsearch should pass

Additional info:

--- Additional comment from David Spurek on 2013-11-07 03:37:52 EST ---

if TLS_REQCERT allow is set then ldapsearch pass. TLS_REQCERT try and allow should have the same behavior in case if no ca cert is specified (according to description in man ldap.conf).
Comment 8 errata-xmlrpc 2014-10-14 00:58:05 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1426.html

Note You need to log in before you can comment on or make changes to this bug.