Bug 810462 - TLS error messages overwriting in tlsm_verify_cert()
TLS error messages overwriting in tlsm_verify_cert()
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: openldap (Show other bugs)
16
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Jan Vcelak
Fedora Extras Quality Assurance
:
Depends On:
Blocks: 828787
  Show dependency treegraph
 
Reported: 2012-04-06 05:16 EDT by Jan Vcelak
Modified: 2013-03-03 20:30 EST (History)
6 users (show)

See Also:
Fixed In Version: openldap-2.4.31-3.fc17
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 828787 (view as bug list)
Environment:
Last Closed: 2012-07-17 13:21:50 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
proposed patch (1.42 KB, patch)
2012-05-28 08:18 EDT, Jan Vcelak
jvcelak: review?
Details | Diff

  None (edit)
Description Jan Vcelak 2012-04-06 05:16:08 EDT
Description of problem:

Connecting to a server with self-signed certificate without basic constraint extension fails. This kind of error seems to stop connecting even if TLS_REQCERT=never is set.

Version-Release number of selected component (if applicable):
openldap-2.4.26-7.fc16


How reproducible:


Steps to Reproduce:
1.
generate self-signed server certificate with:
certutil -d . -S -x -n ldap -s "CN=server" -t TC,,
2.
setup permissions, setup slapd, setup client
3.
ldapsearch -x -ZZ -H ldap://server
  
Actual results:

TLS: certificate [CN=server] is not valid - CA cert is not valid
TLS: certificate [CN=server] is not valid - error -8172:Peer's certificate issuer has been marked as not trusted by the user..
TLS: error: connect - force handshake failure: errno 21 - moznss error -8157
TLS: can't connect: TLS error -8157:Certificate extension not found..
ldap_err2string
ldap_start_tls: Connect error (-11)
        additional info: TLS error -8157:Certificate extension not found.


Expected results:

successful connection


Additional info:
Comment 1 Jan Vcelak 2012-04-26 04:11:59 EDT
This is not right. My configuration was wrong, no certificates were available. But the error message is wrong, it is completely unrelated to the problem which happened.

The original error can was overwritten with the error from the report in tlsm_verify_cert(). While walking through the verification log, basic extension from the certificate is requested in case there is a SEC_ERROR_CA_CERT_INVALID error. If the extension is not a part of the certificate, the original error is overwritten.

PR_GetError() and PR_SetError() should fix that.
Comment 2 Jan Vcelak 2012-05-28 08:18:50 EDT
Created attachment 587230 [details]
proposed patch

Broken version:

$ ldapsearch -x -ZZ
ldap_start_tls: Connect error (-11)
        additional info: TLS error -8157:Certificate extension not found.

Fixed version:

$ ../_build/clients/tools/ldapsearch -x -ZZ
ldap_start_tls: Connect error (-11)
        additional info: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.
Comment 3 Jan Vcelak 2012-05-28 08:21:43 EDT
The patch fixes the issue with LDAPTLS_REQCERT=never as well.
Comment 4 Jan Vcelak 2012-06-05 05:54:31 EDT
Submitted upstream:
http://www.openldap.org/its/index.cgi?findid=7287
Comment 5 Jan Vcelak 2012-06-05 07:36:48 EDT
Committed upstream:
http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=dc3842f
Comment 6 Jan Vcelak 2012-06-27 09:11:59 EDT
Resolved in openldap-2.4.31-3.fc17
Comment 7 Fedora Update System 2012-06-27 09:17:01 EDT
openldap-2.4.31-3.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/openldap-2.4.31-3.fc17
Comment 8 Fedora Update System 2012-06-27 12:06:13 EDT
openldap-2.4.26-8.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/openldap-2.4.26-8.fc16
Comment 9 Fedora Update System 2012-06-27 23:32:58 EDT
Package openldap-2.4.31-3.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing openldap-2.4.31-3.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-10000/openldap-2.4.31-3.fc17
then log in and leave karma (feedback).
Comment 10 Fedora Update System 2012-07-17 13:21:50 EDT
openldap-2.4.31-3.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2012-07-17 13:26:28 EDT
openldap-2.4.26-8.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Julian C. Dunn 2012-10-02 15:10:52 EDT
This seems to afflict the current version of openldap in RHEL 6 as well. Is there a related bug for that?
Comment 13 Jan Vcelak 2012-10-03 03:27:10 EDT
(In reply to comment #12)
> This seems to afflict the current version of openldap in RHEL 6 as well. Is
> there a related bug for that?

Yes, there is - bug #828787, you will need to wait for RHEL-6.4

Note You need to log in before you can comment on or make changes to this bug.