137581 – ldap_start_tls() doesn't fail gracefully

Bug 137581 - ldap_start_tls() doesn't fail gracefully

Summary: ldap_start_tls() doesn't fail gracefully

Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 3
Classification:	Red Hat
Component:	openldap
Sub Component:
Version:	3.0
Hardware:	i686
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Jan Safranek
QA Contact:	Jay Turner
Docs Contact:
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2004-10-29 16:36 UTC by John Haxby
Modified:	2015-01-08 00:08 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:
Doc Text:	(edit)
Clone Of:
Environment:	(edit)
Last Closed:	2007-10-19 19:15:16 UTC

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description John Haxby 2004-10-29 16:36:00 UTC

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.7.2)
Gecko/20040806

Description of problem:
It should be possible to issue ldap_start_tls_s() against an OpenLDAP
server that is not configured for TLS and simply have TLS not be
negotiated.  Unfortunately, this is not the case: the connection to
the LDAP server becomes unusable.   You can test this quite easily
with ldapsearch:

Version-Release number of selected component (if applicable):
openldap-2.0.27-17

How reproducible:
Always

Steps to Reproduce:
1. Install openldap and make sure that the TLS lines are commented out
in /etc/openldap/slapd.conf
2. Start the ldap server
3. Run, for example, "ldapsearch -Zxh localhost objectclass=*"
    

Actual Results:  Instead of getting something, anything, back from the
LDAP server you get an error like this:

ldap_start_tls: Connect error
        additional info: error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
ldap_bind: Can't contact LDAP server
        additional info: error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure


Expected Results:  An indication that TLS cannot be negotiated, and
then carry on without TLS.  The "-ZZ" option for ldapsearch requires
that TLS is negotiated.

Additional info:

Another completely different implementation of an LDAP server that
doesn't support TLS at all works just fine: "ldapsearch -Z" reports
that TLS couldn't be negotiated, but the search carries on.

Comment 1 Miloslav Trmač 2005-04-22 16:38:07 UTC

This affects also current devel (openldap 2.2.23-4), but not FC3
(openldap-2.2.13-2)

Comment 2 RHEL Product and Program Management 2007-10-19 19:15:16 UTC

This bug is filed against RHEL 3, which is in maintenance phase.
During the maintenance phase, only security errata and select mission
critical bug fixes will be released for enterprise products. Since
this bug does not meet that criteria, it is now being closed.
 
For more information of the RHEL errata support policy, please visit:
http://www.redhat.com/security/updates/errata/
 
If you feel this bug is indeed mission critical, please contact your
support representative. You may be asked to provide detailed
information on how this bug is affecting you.

Note You need to log in before you can comment on or make changes to this bug.