Description of problem: Connecting to a server with self-signed certificate without basic constraint extension fails. This kind of error seems to stop connecting even if TLS_REQCERT=never is set. Version-Release number of selected component (if applicable): openldap-2.4.26-7.fc16 How reproducible: Steps to Reproduce: 1. generate self-signed server certificate with: certutil -d . -S -x -n ldap -s "CN=server" -t TC,, 2. setup permissions, setup slapd, setup client 3. ldapsearch -x -ZZ -H ldap://server Actual results: TLS: certificate [CN=server] is not valid - CA cert is not valid TLS: certificate [CN=server] is not valid - error -8172:Peer's certificate issuer has been marked as not trusted by the user.. TLS: error: connect - force handshake failure: errno 21 - moznss error -8157 TLS: can't connect: TLS error -8157:Certificate extension not found.. ldap_err2string ldap_start_tls: Connect error (-11) additional info: TLS error -8157:Certificate extension not found. Expected results: successful connection Additional info:
This is not right. My configuration was wrong, no certificates were available. But the error message is wrong, it is completely unrelated to the problem which happened. The original error can was overwritten with the error from the report in tlsm_verify_cert(). While walking through the verification log, basic extension from the certificate is requested in case there is a SEC_ERROR_CA_CERT_INVALID error. If the extension is not a part of the certificate, the original error is overwritten. PR_GetError() and PR_SetError() should fix that.
Created attachment 587230 [details] proposed patch Broken version: $ ldapsearch -x -ZZ ldap_start_tls: Connect error (-11) additional info: TLS error -8157:Certificate extension not found. Fixed version: $ ../_build/clients/tools/ldapsearch -x -ZZ ldap_start_tls: Connect error (-11) additional info: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.
The patch fixes the issue with LDAPTLS_REQCERT=never as well.
Submitted upstream: http://www.openldap.org/its/index.cgi?findid=7287
Committed upstream: http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=dc3842f
Resolved in openldap-2.4.31-3.fc17
openldap-2.4.31-3.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/openldap-2.4.31-3.fc17
openldap-2.4.26-8.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/openldap-2.4.26-8.fc16
Package openldap-2.4.31-3.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing openldap-2.4.31-3.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-10000/openldap-2.4.31-3.fc17 then log in and leave karma (feedback).
openldap-2.4.31-3.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
openldap-2.4.26-8.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
This seems to afflict the current version of openldap in RHEL 6 as well. Is there a related bug for that?
(In reply to comment #12) > This seems to afflict the current version of openldap in RHEL 6 as well. Is > there a related bug for that? Yes, there is - bug #828787, you will need to wait for RHEL-6.4