609722 – libldap ignores a directory of CA certificates if any of them can't be read

Bug 609722 - libldap ignores a directory of CA certificates if any of them can't be read

Summary: libldap ignores a directory of CA certificates if any of them can't be read

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	openldap
Sub Component:
Version:	5.5
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Jan Vcelak
QA Contact:	Ondrej Moriš
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	593242 649048 699652 811468
TreeView+	depends on / blocked

Reported:	2010-06-30 22:04 UTC by Nalin Dahyabhai
Modified:	2013-03-04 01:27 UTC (History)
CC List:	7 users (show)
Fixed In Version:	openldap-2.3.43-20.el5
Doc Type:	Bug Fix
Doc Text:	- openldap client tool configured with TLSCA_CERTDIR, but some of the certificate files are not accessible - the client tool will not establish TLS connection - upstream fix applied to target this issue - the client tool will establish the TLS connection to the server, even if some of the certificates in TLSCA_CERTDIR is inaccessible
Clone Of:
Clones:	811468 (view as bug list)
Environment:
Last Closed:	2012-02-21 05:26:50 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
patch for 2.3.43 (1.68 KB, patch) 2010-07-19 07:45 UTC, Jan Vcelak	no flags	Details \| Diff
patch for 2.2.29 (compat) (2.22 KB, patch) 2010-07-19 07:46 UTC, Jan Vcelak	no flags	Details \| Diff
patch for 2.2.29 (compat) - update (3.79 KB, patch) 2011-08-18 17:21 UTC, Jan Vcelak	no flags	Details \| Diff
Show Obsolete (1) View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2012:0155	0	normal	SHIPPED_LIVE	openldap bug fix and enhancement update	2012-02-20 14:54:48 UTC

Description Nalin Dahyabhai 2010-06-30 22:04:45 UTC

Description of problem:
When the directory specified for the TLS_CACERTDIR setting in ldap.conf contains anything which can't be read, libldap ignores everything in the directory which could be read.

Version-Release number of selected component (if applicable):
openldap-2.3.43-12.el5

How reproducible:
Always

Steps to Reproduce:
1. Store CA certificate in /etc/openldap/cacerts and set up links with c_rehash
2. Use ldapsearch -ZZ to perform a TLS-encrypted search of the directory
3. Create a symlink to a non-existent file in /etc/openldap/cacerts
4. Try using ldapsearch -ZZ to perform a TLS-encrypted search of the directory again
  
Actual results:
The second run will fail.  On my system, the error message I get is:
  ldap_start_tls: Connect error (-11)
          additional info: Start TLS request accepted.Server willing to negotiate SSL.

Expected results:
The second run should succeed.

Additional info:
It looks like libraries/libldap/tls.c's get_ca_list() option is throwing away any results returned by SSL_add_dir_cert_subjects_to_stack() when it returns a failure.  The comments in OpenSSL's source indicate that some certificates may still be returned in this case, and using them would avoid this error.

Comment 1 Jan Vcelak 2010-07-19 07:45:38 UTC

Created attachment 432782 [details]
patch for 2.3.43

Attaching patch. The change is backported from OpenLDAP 2.4.19.

When initializing default TLS context, the whole list of certificate authorities is not loaded on client side. This doesn't break certificate validation, server certificate is validated as expected.

Comment 2 Jan Vcelak 2010-07-19 07:46:25 UTC

Created attachment 432783 [details]
patch for 2.2.29 (compat)

Comment 4 RHEL Program Management 2010-08-09 18:44:49 UTC

This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.

Comment 10 Jan Vcelak 2011-08-18 17:21:32 UTC

Created attachment 518910 [details]
patch for 2.2.29 (compat) - update

Comment 11 Jan Vcelak 2011-08-18 17:57:14 UTC

Resolved in openldap-2.3.43-20.el5

Comment 13 Jan Vcelak 2011-08-26 13:55:33 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
- openldap client tool configured with TLSCA_CERTDIR, but some of the certificate files are not accessible
- the client tool will not establish TLS connection
- upstream fix applied to target this issue
- the client tool will establish the TLS connection to the server, even if some of the certificates in TLSCA_CERTDIR is inaccessible

Comment 15 errata-xmlrpc 2012-02-21 05:26:50 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0155.html

Note You need to log in before you can comment on or make changes to this bug.