Red Hat Bugzilla – Bug 852476
connection hangs after fallback to second server when certificate hostname verification fails
Last modified: 2013-03-03 20:30:55 EST
+++ This bug was initially created as a clone of Bug #843056 +++
Description of problem:
When using OpenLDAP libraries to connect to a ldaps server and you would like to verify server's certificate, it will hang indefinitely if the common name supplied in the LDAP URL does not match the common name on the certificate.
Version-Release number of selected component (if applicable):
openldap-2.4.23-26 - I tested on 64 bit only
Steps to Reproduce:
1. Your LDAP server must have a certificate signed by CA and issued with common name set to myserver.mydomain.local or whatever name.
2. Try to execute a LDAP query using the following parameters (notice using the IP instead of actual LDAP server hostname):
LDAPTLS_CACERT=CA.pem LDAPTLS_REQCERT=demand ldapsearch -v -x -D "cn=MyName,ou=MyUsers,dc=MyDomain" -y "password_file" -H "ldaps://18.104.22.168" -b "ou=MyUsers,dc=MyDomain" "(&(objectClass=user)(samaccountname=MyUserName))" cn
Process is hanging
ldap_initialize( ldaps://hostname:636/??base )
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
This was tested against a MS Windows 2008 AD LDAP server.
--- Additional comment from firstname.lastname@example.org on 2012-07-31 12:07:10 CEST ---
I cannot reproduce. Please, can you add '-d-1' option to the ldapsearch command and post the result?
--- Additional comment from email@example.com on 2012-08-02 15:02:01 CEST ---
Hi, it seems like this is my fault that you couldn't replicate, I was actually using 2 servers with -H instead of one as I printed in the bug description.
LDAPTLS_CACERT=CA.pem LDAPTLS_REQCERT=demand ldapsearch -v -x -D "cn=MyName,ou=MyUsers,dc=MyDomain" -y "password_file" -H "ldaps://22.214.171.124 ldaps://126.96.36.199" -b "ou=MyUsers,dc=MyDomain" "(&(objectClass=user)(samaccountname=MyUserName))" cn
ldap_initialize( ldaps://188.8.131.52:636/??base ldaps://184.108.40.206:636/??base )
ldap_new_connection 1 1 0
ldap_connect_to_host: TCP 220.127.116.11:636
ldap_connect_to_host: Trying 18.104.22.168:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: loaded CA certificate file /etc/openldap/certs/CAs/MyDomain.pem.
tls_write: want=70, written=70
tls_read: want=5, got=5
tls_read: want=7564, got=2891
tls_read: want=4673, got=4673
TLS: certificate [E=MyAddress@MyDomain.com,CN=MyServer.MyDomain.local,OU=MyOrgzanizationUnit,O=MyOrgzanization,L=MyLocality,ST=MyState,C=MyCountry] is valid
tls_write: want=205, written=205
tls_read: want=5, got=5
tls_read: want=1, got=1
tls_read: want=5, got=5
tls_read: want=48, got=48
TLS certificate verification: subject: E=MyAddress@MyDomain.com,CN=MyServer.MyDomain.local,OU=MyOrgzanizationUnit,O=MyOrgzanization,L=MyLocality,ST=MyState,C=RO, issuer: CN=MyDomainCA,DC=MyDomain,DC=local, cipher: AES-128, security level: high, secret key bits: 128, total key bits: 128, cache hits: 0, cache misses: 0, cache not reusable: 0
TLS: hostname (22.214.171.124) does not match common name in certificate (MyServer.MyDomain.local).
ldap_connect_to_host: TCP 126.96.36.199:636
ldap_connect_to_host: Trying 188.8.131.52:636
ldap_pvt_connect: fd: 4 tm: -1 async: 0
This is where it gets stuck, when trying to connect to the second server after failing to verify the certificate of the first one.
Could you also edit the original description and remove my private hostname from the 4th line starting at the bottom?
--- Additional comment from firstname.lastname@example.org on 2012-08-02 15:03:40 CEST ---
Also, I made sure that it can successfully connect to both URLs if I specify them using ldaps://hostname1 and ldaps://hostname2.
--- Additional comment from email@example.com on 2012-08-28 13:31:39 CEST ---
Now I can reproduce.
--- Additional comment from firstname.lastname@example.org on 2012-08-28 13:47:46 CEST ---
Created attachment 607485 [details]
reproducer for the bug
Doing the search.
Stopping the servers.
--- Additional comment from email@example.com on 2012-08-28 14:38:19 CEST ---
The problem is in Mozilla NSS backend. I tried to recompile with OpenSSL and the bug didn't appear.
--- Additional comment from firstname.lastname@example.org on 2012-08-28 17:57:43 CEST ---
Created attachment 607635 [details]
It seems that the *tls_session is reused when connecting to the second server. Mozilla NSS cannot handle that and hangs inside SSL_ForceHandshake().
I believe the session should not be reused and my patch resolves that.
--- Additional comment from email@example.com on 2012-08-28 17:59:05 CEST ---
Upstream report and patch submission:
openldap-2.4.32-3.fc17 has been submitted as an update for Fedora 17.
openldap-2.4.32-3.fc18 has been submitted as an update for Fedora 18.
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing openldap-2.4.32-3.fc18'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
openldap-2.4.32-3.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
openldap-2.4.32-3.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.