Bug 828787 - TLS error messages overwriting in tlsm_verify_cert()
TLS error messages overwriting in tlsm_verify_cert()
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: openldap (Show other bugs)
6.3
Unspecified Unspecified
low Severity low
: rc
: ---
Assigned To: Jan Vcelak
David Spurek
:
: 863456 (view as bug list)
Depends On: 810462
Blocks: 836160
  Show dependency treegraph
 
Reported: 2012-06-05 07:38 EDT by Jan Vcelak
Modified: 2015-03-02 00:26 EST (History)
7 users (show)

See Also:
Fixed In Version: openldap-2.4.23-29.el6
Doc Type: Bug Fix
Doc Text:
Cause: Self-signed certificate without Basic Constraint Extension is used as a server TLS certificate. TLS client is configured to ignore any TLS certificate validation errors. Consequence: Client cannot connect to the server and a wrong message about missing Basic Constraint Extension is emitted. Fix: Patch applied to preserve the original TLS certificate validation error if Basic Constraint Extension is not found in the certificate. Result: Client can connect to the server, error message about untrusted certification authority which signed the server certificate is emitted, the connection will continue as expected.
Story Points: ---
Clone Of: 810462
Environment:
Last Closed: 2013-02-21 04:45:56 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Vcelak 2012-06-05 07:38:23 EDT
+++ This bug was initially created as a clone of Bug #810462 +++

Description of problem:

Connecting to a server with self-signed certificate without basic constraint extension fails. This kind of error seems to stop connecting even if TLS_REQCERT=never is set.

Version-Release number of selected component (if applicable):
openldap-2.4.26-7.fc16


How reproducible:


Steps to Reproduce:
1.
generate self-signed server certificate with:
certutil -d . -S -x -n ldap -s "CN=server" -t TC,,
2.
setup permissions, setup slapd, setup client
3.
ldapsearch -x -ZZ -H ldap://server
  
Actual results:

TLS: certificate [CN=server] is not valid - CA cert is not valid
TLS: certificate [CN=server] is not valid - error -8172:Peer's certificate issuer has been marked as not trusted by the user..
TLS: error: connect - force handshake failure: errno 21 - moznss error -8157
TLS: can't connect: TLS error -8157:Certificate extension not found..
ldap_err2string
ldap_start_tls: Connect error (-11)
        additional info: TLS error -8157:Certificate extension not found.


Expected results:

successful connection


Additional info:

--- Additional comment from jvcelak@redhat.com on 2012-04-26 10:11:59 CEST ---

This is not right. My configuration was wrong, no certificates were available. But the error message is wrong, it is completely unrelated to the problem which happened.

The original error can was overwritten with the error from the report in tlsm_verify_cert(). While walking through the verification log, basic extension from the certificate is requested in case there is a SEC_ERROR_CA_CERT_INVALID error. If the extension is not a part of the certificate, the original error is overwritten.

PR_GetError() and PR_SetError() should fix that.

--- Additional comment from jvcelak@redhat.com on 2012-05-28 14:18:50 CEST ---

Created attachment 587230 [details]
proposed patch

Broken version:

$ ldapsearch -x -ZZ
ldap_start_tls: Connect error (-11)
        additional info: TLS error -8157:Certificate extension not found.

Fixed version:

$ ../_build/clients/tools/ldapsearch -x -ZZ
ldap_start_tls: Connect error (-11)
        additional info: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.

--- Additional comment from jvcelak@redhat.com on 2012-05-28 14:21:43 CEST ---

The patch fixes the issue with LDAPTLS_REQCERT=never as well.

--- Additional comment from jvcelak@redhat.com on 2012-06-05 11:54:31 CEST ---

Submitted upstream:
http://www.openldap.org/its/index.cgi?findid=7287

--- Additional comment from jvcelak@redhat.com on 2012-06-05 13:36:48 CEST ---

Committed upstream:
http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=dc3842f
Comment 5 Jan Vcelak 2012-09-25 12:10:23 EDT
Resolved in: openldap-2.4.23-29.el6
Comment 7 Jan Vcelak 2012-10-22 03:24:32 EDT
*** Bug 863456 has been marked as a duplicate of this bug. ***
Comment 10 errata-xmlrpc 2013-02-21 04:45:56 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0364.html

Note You need to log in before you can comment on or make changes to this bug.