LDAP_OPT_X_TLS_REQUIRE_CERT handling differences between ldaps:// and STARTTLS

Oh, and if you're wondering, the ldaps:// results are the correct ones: an untrusted CA (self signed) should be rejected.

A bug has been found in libldap code that interferes with the value of "require cert" option. It affects libldap built with GnuTLS, as is done in packages supplied by Ubuntu and Debian. The bug causes the value to be read from previously freed memory, often resulting in incorrect or random value being used. This bug has been fixed upstream by the OpenLDAP team, but the fix has not yet been backported to Ubuntu.

Bug 1557248
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1557248

The problem you describe may be caused by this bug, or by an unrelated problem. However, in any case Ubuntu libldap packages currently in wily and xenial do not handle "require cert" option correctly. With this in mind, may I ask that you vote for bug 1557248 in order for it to get noticed by Ubuntu maintainers.

Status changed to 'Confirmed' because the bug affects multiple users.

I created a PPA with patched openldap packages for wily and xenial. If you would like to test them, there is more information in bug 1557248.

Hi Martin,

I'm trying to reproduce the bug you reported, in order to determine whether Maciej's patch fixed it or not.

However, a simple C program making the following calls:

ldap_set_option(NULL, LDAP_OPT_PROTOCOL_VERSION, &protocol_version);
ldap_initialize(&ld, "ldaps://");
ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &reqcert);
ldap_simple_bind_s(ld, NULL, NULL);

ldap_initialize(&ld, "ldap://");
ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &reqcert);
ldap_start_tls_s(ld, NULL, NULL);

appears to behave as expected for me.

Could you please post the program code (any language is fine) that you used to demonstrate the bug? Thanks!

Hi,

There's a lot more detail on the bug report on the openldap site, including some replication steps: http://www.openldap.org/its/index.cgi/Incoming?id=8374#followup7

I've just tried again, and it still doesn't work as expected on xenial with the latest packages installed.

The connection for start_tls always succeeds when it should fail.

Martin...

Hi,
I'm clearing old dormant bugs atm.

Here are no good next step to take action.
Also the referred upstream discussion seems to have fallen to slumber.

Did you have luck trying newer versions of this or any other update that helps to get this bug moving again?

Also we are waiting for answers to comment #5 as for others the issue seems not to trigger, and clear steps to reproduce would help.

I can check again, but the last time I looked this was still broken ...

If you can point to where upstream have fixed it please, then we would have something to work on. Unfortunately I'm not sure we can make any progress without that.

I don't think they have: my ticket is still open with them too. :(

Last time I tried to reproduce this with a C program I was not successful, hence why I haven't been able to work on this from the upstream side. I will try again... Martin, it would be *very* helpful if you could post code or a script that demonstrates the issue in an automated way. I know you posted details and pseudocode on the ITS but I'm fallible and didn't succeed at turning it into a reproducer so far. Thanks!

[Expired for openldap (Ubuntu) because there has been no activity for 60 days.]