Bug 609722 - libldap ignores a directory of CA certificates if any of them can't be read
libldap ignores a directory of CA certificates if any of them can't be read
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: openldap (Show other bugs)
5.5
All Linux
medium Severity medium
: rc
: ---
Assigned To: Jan Vcelak
Ondrej Moriš
:
Depends On:
Blocks: 593242 649048 699652 811468
  Show dependency treegraph
 
Reported: 2010-06-30 18:04 EDT by Nalin Dahyabhai
Modified: 2013-03-03 20:27 EST (History)
7 users (show)

See Also:
Fixed In Version: openldap-2.3.43-20.el5
Doc Type: Bug Fix
Doc Text:
- openldap client tool configured with TLSCA_CERTDIR, but some of the certificate files are not accessible - the client tool will not establish TLS connection - upstream fix applied to target this issue - the client tool will establish the TLS connection to the server, even if some of the certificates in TLSCA_CERTDIR is inaccessible
Story Points: ---
Clone Of:
: 811468 (view as bug list)
Environment:
Last Closed: 2012-02-21 00:26:50 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
patch for 2.3.43 (1.68 KB, patch)
2010-07-19 03:45 EDT, Jan Vcelak
no flags Details | Diff
patch for 2.2.29 (compat) (2.22 KB, patch)
2010-07-19 03:46 EDT, Jan Vcelak
no flags Details | Diff
patch for 2.2.29 (compat) - update (3.79 KB, patch)
2011-08-18 13:21 EDT, Jan Vcelak
no flags Details | Diff

  None (edit)
Description Nalin Dahyabhai 2010-06-30 18:04:45 EDT
Description of problem:
When the directory specified for the TLS_CACERTDIR setting in ldap.conf contains anything which can't be read, libldap ignores everything in the directory which could be read.

Version-Release number of selected component (if applicable):
openldap-2.3.43-12.el5

How reproducible:
Always

Steps to Reproduce:
1. Store CA certificate in /etc/openldap/cacerts and set up links with c_rehash
2. Use ldapsearch -ZZ to perform a TLS-encrypted search of the directory
3. Create a symlink to a non-existent file in /etc/openldap/cacerts
4. Try using ldapsearch -ZZ to perform a TLS-encrypted search of the directory again
  
Actual results:
The second run will fail.  On my system, the error message I get is:
  ldap_start_tls: Connect error (-11)
          additional info: Start TLS request accepted.Server willing to negotiate SSL.

Expected results:
The second run should succeed.

Additional info:
It looks like libraries/libldap/tls.c's get_ca_list() option is throwing away any results returned by SSL_add_dir_cert_subjects_to_stack() when it returns a failure.  The comments in OpenSSL's source indicate that some certificates may still be returned in this case, and using them would avoid this error.
Comment 1 Jan Vcelak 2010-07-19 03:45:38 EDT
Created attachment 432782 [details]
patch for 2.3.43

Attaching patch. The change is backported from OpenLDAP 2.4.19.

When initializing default TLS context, the whole list of certificate authorities is not loaded on client side. This doesn't break certificate validation, server certificate is validated as expected.
Comment 2 Jan Vcelak 2010-07-19 03:46:25 EDT
Created attachment 432783 [details]
patch for 2.2.29 (compat)
Comment 4 RHEL Product and Program Management 2010-08-09 14:44:49 EDT
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.
Comment 10 Jan Vcelak 2011-08-18 13:21:32 EDT
Created attachment 518910 [details]
patch for 2.2.29 (compat) - update
Comment 11 Jan Vcelak 2011-08-18 13:57:14 EDT
Resolved in openldap-2.3.43-20.el5
Comment 13 Jan Vcelak 2011-08-26 09:55:33 EDT
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
- openldap client tool configured with TLSCA_CERTDIR, but some of the certificate files are not accessible
- the client tool will not establish TLS connection
- upstream fix applied to target this issue
- the client tool will establish the TLS connection to the server, even if some of the certificates in TLSCA_CERTDIR is inaccessible
Comment 15 errata-xmlrpc 2012-02-21 00:26:50 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0155.html

Note You need to log in before you can comment on or make changes to this bug.