Bug 1814674
| Summary: | if the certificate contains CN=[ip address] the connection to openldap server is rejected | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Filip Dvorak <fdvorak> | ||||||||
| Component: | openldap | Assignee: | Simon Pichugin <spichugi> | ||||||||
| Status: | CLOSED ERRATA | QA Contact: | RHDS QE <ds-qe-bugs> | ||||||||
| Severity: | low | Docs Contact: | |||||||||
| Priority: | unspecified | ||||||||||
| Version: | 8.2 | CC: | arajendr, bsmejkal, cheimes, mharmsen, pkis, quanah, sgouvern, spichugi, vashirov | ||||||||
| Target Milestone: | rc | Keywords: | Regression, Triaged | ||||||||
| Target Release: | 8.0 | Flags: | spichugi:
needinfo+
pm-rhel: mirror+ |
||||||||
| Hardware: | Unspecified | ||||||||||
| OS: | Unspecified | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | openldap-2.4.46-18.el8 | Doc Type: | If docs needed, set a value | ||||||||
| Doc Text: | Story Points: | --- | |||||||||
| Clone Of: | Environment: | ||||||||||
| Last Closed: | 2021-11-09 19:49:50 UTC | Type: | Bug | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Attachments: |
|
||||||||||
|
Description
Filip Dvorak
2020-03-18 14:03:25 UTC
Created attachment 1671079 [details]
slapd.conf
I don't see a bug here. Section 3.1.3 of RFC4513 only allows for DNS hostnames in the subject field. IP addresses are only allowed in the subjectAltName field of the certificate. If this was working in the past, it would generally indicate that OpenLDAP was patched downstream by RH to support non-RFC conformant behavior. (In reply to Quanah Gibson-Mount from comment #4) > I don't see a bug here. Section 3.1.3 of RFC4513 only allows for DNS > hostnames in the subject field. IP addresses are only allowed in the > subjectAltName field of the certificate. Indeed, the RFC does not mention IP address could be used in such case. Which renders this bug/request invalid. Thanks for the feedback. > > If this was working in the past, it would generally indicate that OpenLDAP > was patched downstream by RH to support non-RFC conformant behavior. I've retested with the latest LTB build and it exhibits the same issue. Also, I do not see any downstream patch that could potentially cause this. (In reply to Matus Honek from comment #5) > > > > If this was working in the past, it would generally indicate that OpenLDAP > > was patched downstream by RH to support non-RFC conformant behavior. > > I've retested with the latest LTB build and it exhibits the same issue. > Also, I do not see any downstream patch that could potentially cause this. Hi Matus, Thanks for following up! By "exhibits the same issue" do you mean the LTB build correctly rejects a cert with an IP address in the subject, or that it incorrectly accepts the cert? Thanks, Quanah Created attachment 1691159 [details]
Certificate with IP address in subject
Ah, sorry... With LTB I could successfully accept certificate with IP address (127.0.0.1) in the subject. Thus it incorrectly accepts the certificate wrt. the RFC. The certificate is attached.
(In reply to Matus Honek from comment #7) > Created attachment 1691159 [details] > Certificate with IP address in subject > > Ah, sorry... With LTB I could successfully accept certificate with IP > address (127.0.0.1) in the subject. Thus it incorrectly accepts the > certificate wrt. the RFC. The certificate is attached. Great, thanks! I'll confirm upstream and file an issue there if I can reproduce. (In reply to Quanah Gibson-Mount from comment #8) > (In reply to Matus Honek from comment #7) > > Created attachment 1691159 [details] > > Certificate with IP address in subject > > > > Ah, sorry... With LTB I could successfully accept certificate with IP > > address (127.0.0.1) in the subject. Thus it incorrectly accepts the > > certificate wrt. the RFC. The certificate is attached. > > Great, thanks! I'll confirm upstream and file an issue there if I can > reproduce. Hi Matus, When using startTLS and an ldap conf option of "demand" (I.e., require the cert to be valid), I get an expected failure using OpenLDAP's stock libldap as long as the URI used by the client uses a hostname. I.e.: ldapsearch ... -ZZ -H ldap://localhost:389 -> fails but it does work for me if the IP address is used in the URI rather than the hostname. I.e.: ldapsearch ... -ZZ -H ldap://127.0.0.1:389 -> succeeds The latter behavior would still appear to be a bug, but the scope of the issue seems fairly limited. I have this tracking upstream in https://bugs.openldap.org/show_bug.cgi?id=9267 Regards, Quanah (In reply to Quanah Gibson-Mount from comment #9) > but it does work for me if the IP address is used in the URI rather than the > hostname. I.e.: > > ldapsearch ... -ZZ -H ldap://127.0.0.1:389 -> succeeds > > The latter behavior would still appear to be a bug, but the scope of the > issue seems fairly limited. > > I have this tracking upstream in > https://bugs.openldap.org/show_bug.cgi?id=9267 Hi Matus, After digging deeper into the RFCs (and documented in the upstream bug), it is legal/valid for an IP address in subject to work with an LDAP URI as long as the URI is an IP address. I.e., ldap://127.0.0.1 and the cert has 127.0.0.1 as the subject. So as far as I can tell, the default OpenLDAP behavior in cert handling is correct. Regards, Quanah A side note - Given the provided ldap.conf in this ticket which does indeed use an IP address for the URI, this bug is in fact valid and would denote a regression from standard OpenLDAP. Regards, Quanah Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (openldap bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:4449 |