Red Hat Bugzilla – Bug 609722
libldap ignores a directory of CA certificates if any of them can't be read
Last modified: 2013-03-03 20:27:23 EST
Description of problem:
When the directory specified for the TLS_CACERTDIR setting in ldap.conf contains anything which can't be read, libldap ignores everything in the directory which could be read.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Store CA certificate in /etc/openldap/cacerts and set up links with c_rehash
2. Use ldapsearch -ZZ to perform a TLS-encrypted search of the directory
3. Create a symlink to a non-existent file in /etc/openldap/cacerts
4. Try using ldapsearch -ZZ to perform a TLS-encrypted search of the directory again
The second run will fail. On my system, the error message I get is:
ldap_start_tls: Connect error (-11)
additional info: Start TLS request accepted.Server willing to negotiate SSL.
The second run should succeed.
It looks like libraries/libldap/tls.c's get_ca_list() option is throwing away any results returned by SSL_add_dir_cert_subjects_to_stack() when it returns a failure. The comments in OpenSSL's source indicate that some certificates may still be returned in this case, and using them would avoid this error.
Created attachment 432782 [details]
patch for 2.3.43
Attaching patch. The change is backported from OpenLDAP 2.4.19.
When initializing default TLS context, the whole list of certificate authorities is not loaded on client side. This doesn't break certificate validation, server certificate is validated as expected.
Created attachment 432783 [details]
patch for 2.2.29 (compat)
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.
Created attachment 518910 [details]
patch for 2.2.29 (compat) - update
Resolved in openldap-2.3.43-20.el5
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
- openldap client tool configured with TLSCA_CERTDIR, but some of the certificate files are not accessible
- the client tool will not establish TLS connection
- upstream fix applied to target this issue
- the client tool will establish the TLS connection to the server, even if some of the certificates in TLSCA_CERTDIR is inaccessible
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.