Re: (ITS#5655) add option for setting minimum TLS/SSL protocol
by guenther+ldapdev@sendmail.com
On Thu, 14 Aug 2008, Michael Ströder wrote:
> Philip Guenther wrote:
...
> > They also have the "SSLProtocol" directive, further down on that page.
>
> Then I'd vote for doing it exactly like this with one option (space- or
> comma-separated list of protocols).
As I mentioned in the ITS, I think treating the various protocol versions
as independently choosable is a Bad Thing, as it permits broken settings
with no corresponding gain.
That said, it's more important to me that *some* option gets in so that I
(and Sendmail) don't have to maintain forever a patch to add it. If
someone 'official' will make a decision and simply state what the option
should look like in its three forms (C API, ldap.conf, slapd config), I'll
munge the patch to match.
Philip Guenther
15 years, 1 month
Re: (ITS#5640) slapd scans too many objects at startup
by ghenry@OpenLDAP.org
----- "ali pouya" <ali.pouya(a)free.fr> wrote:
> Gavin Henry <ghenry(a)suretecsystems.com> wrote :
>
> > ali.pouya(a)free.fr wrote:
>
> > Why do you change serverID?
> In a configuration with two mirrors I have to set two different IDs.
> The problem
> is that the replica defaults to serverID=0, whilst I understood that
> the replica
> does not need a serverID.
> > So you're saying serverID=0, serverID=1, serverID=2 makes a
> difference
> > from serverID=1, serverID=2, serverID=3?
> >
> > They only have to be unique.
> >
>
> Yes. Let me put the problem another way :
>
> In 2.4.11 each time you start slapd (master as well as replica) it
> scans (reads)
> all of the objects being more recent than its contextCSN value having
> ITS OWN
> serverID. Wouldn't it be bettre that it scans only the objects more
> recent thant
> the moste recent value of the contextCSN ?
> If y have millions of such entries the scanning taks too long.
> Is this a bug or a normal feature ?
This is intended:
servers/slapd/overlays/syncprov.c in HEAD
615 | case FIND_MAXCSN:
616 | | cf.f_choice = LDAP_FILTER_GE;
617 | | /* If there are multiple CSNs, use the one with our serverID */
618 | | for ( i=0; i<si->si_numcsns; i++) {
619 | | | if ( slap_serverID == si->si_sids[i] ) {
620 | | | | maxid = i;
621 | | | | break;
622 | | | }
623 | | }
624 | | if ( i == si->si_numcsns ) {
625 | | | /* No match: this is multimaster, and none of the content in the DB
626 | | | * originated locally. Treat like no CSN.
627 | | | */
628 | | | return LDAP_NO_SUCH_OBJECT;
629 | | }
>
> > There are no writes above, you've only shown searches.
>
> Yes there are no writes because this is an extract of the startup
> log.
>
> > How many times do you restart slapd and why?
>
> In production I restart slapd once a day for backup. But the problem
> is that if
> I restart it for any reason I have to wait to much for the service to
> be
> available.
A cold backup of the bdb dir I take it.
--
Kind Regards,
Gavin Henry.
OpenLDAP Engineering Team.
E ghenry(a)OpenLDAP.org
Community developed LDAP software.
http://www.openldap.org/project/
15 years, 1 month
(ITS#5656) Bind operations with translucent overlay
by mateusz.kijowski@gmail.com
Full_Name: Mateusz Kijowski
Version: 2.3.43
OS: Linux 2.6
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (194.126.222.22)
In some use scenarios, it is useful if the translucent overlay does not forward
bind operation requests to the remote server when there are values for
userPassword attribute in the local database. It would be nice if this could be
enabled or disabled by a configuration option. For consistency, enabling this
behavior should also affect the PASSMOD extended operation to modify the local
value of userPassword.
15 years, 1 month
Re: (ITS#5578) sortvals error
by andrew.findlay@skills-1st.co.uk
On Sat, Jul 05, 2008 at 09:31:28PM +0000, hyc(a)symas.com wrote:
> Thanks for the report. Seems the search routine wasn't copied correctly from
> back-bdb/idl.c. Fixed now in HEAD.
Not quite I'm afraid. It now crashes if a value is added that
sorts to the head of the list.
I applied this LDIF to the original test case data:
dn: cn=tenK,ou=groups,o=test,dc=example,dc=org
changetype: modify
add: member
member: uniqueIdentifier=a_0,dc=example,dc=org
Running the server with '-d 65535' the trace ends thus:
<= entry_decode(cn=tenK,ou=groups,o=test,dc=example,dc=org)
bdb_modify: cn=tenK,ou=groups,o=test,dc=example,dc=org
slap_queue_csn: queing 0xa74b3c42 20080814122245.470522Z#000000#000#000000
bdb_dn2entry("cn=tenk,ou=groups,o=test,dc=example,dc=org")
bdb_modify_internal: 0x00000004: cn=tenK,ou=groups,o=test,dc=example,dc=org
<= acl_access_allowed: granted to database root
bdb_modify_internal: add member
dnMatch 5
"uniqueIdentifier=a_004997,dc=example,dc=org"
"uniqueIdentifier=a_0,dc=example,dc=org"
dnMatch 5
"uniqueIdentifier=a_004995,dc=example,dc=org"
"uniqueIdentifier=a_0,dc=example,dc=org"
dnMatch 5
"uniqueIdentifier=a_000001,dc=example,dc=org"
"uniqueIdentifier=a_0,dc=example,dc=org"
dnMatch 5
"uniqueIdentifier=a_000000,dc=example,dc=org"
"uniqueIdentifier=a_0,dc=example,dc=org"
dnMatch 5
"uniqueIdentifier=a_004997,dc=example,dc=org"
"uniqueIdentifier=a_0,dc=example,dc=org"
dnMatch 5
"uniqueIdentifier=a_004995,dc=example,dc=org"
"uniqueIdentifier=a_0,dc=example,dc=org"
dnMatch 5
"uniqueIdentifier=a_000001,dc=example,dc=org"
"uniqueIdentifier=a_0,dc=example,dc=org"
dnMatch 5
"uniqueIdentifier=a_000000,dc=example,dc=org"
"uniqueIdentifier=a_0,dc=example,dc=org"
Program received signal SIGSEGV, Segmentation fault.
Andrew
--
-----------------------------------------------------------------------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/ +44 1628 782565 |
-----------------------------------------------------------------------
15 years, 1 month
Re: (ITS#5640) slapd scans too many objects at startup
by ali.pouya@free.fr
Gavin Henry <ghenry(a)suretecsystems.com> wrote :
> ali.pouya(a)free.fr wrote:
> Why do you change serverID?
In a configuration with two mirrors I have to set two different IDs. The problem
is that the replica defaults to serverID=0, whilst I understood that the replica
does not need a serverID.
>
> So you're saying serverID=0, serverID=1, serverID=2 makes a difference
> from serverID=1, serverID=2, serverID=3?
>
> They only have to be unique.
>
Yes. Let me put the problem another way :
In 2.4.11 each time you start slapd (master as well as replica) it scans (reads)
all of the objects being more recent than its contextCSN value having ITS OWN
serverID. Wouldn't it be bettre that it scans only the objects more recent thant
the moste recent value of the contextCSN ?
If y have millions of such entries the scanning taks too long.
Is this a bug or a normal feature ?
> There are no writes above, you've only shown searches.
Yes there are no writes because this is an extract of the startup log.
> How many times do you restart slapd and why?
In production I restart slapd once a day for backup. But the problem is that if
I restart it for any reason I have to wait to much for the service to be
available.
I hope I have have understood and answered to your quetions.
Thanks
Best Regards
Ali
15 years, 1 month
Re: (ITS#5655) add option for setting minimum TLS/SSL protocol
by michael@stroeder.com
Philip Guenther wrote:
> On Thu, 14 Aug 2008, Michael Ströder wrote:
> ...
>> From my understanding this is what LDAP_OPT_X_TLS_CIPHER_SUITE is for,
>> isn't it? It's directly passed to OpenSSL and can also be used to enable
>> or disable SSLv2, SSLv3 and TLSv1 besides choosing the ciphers itself.
>
> Nope. The cipher suite list and protocol versions supported are
> orthogonal: even if you include "!SSLv2" in your cipher suite, openssl
> will still send an SSLv2-compatible handshake. Ditto on the server side:
> when OpenSSL announced a vulnerability in the server SSLv2 handshake code,
> I looked at whether specifying "!SSLv2" in the cipher spec would protect
> the server as a workaround. Nope: only setting the SSL_OP_NO_SSLv2 option
> or using a SSLv3-only or TLSv1-only method would do it.
Ok.
>> Apache HTTP server does it also that way. See:
>> http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslciphersuite
>
> They also have the "SSLProtocol" directive, further down on that page.
Then I'd vote for doing it exactly like this with one option (space- or
comma-separated list of protocols).
Ciao, Michael.
15 years, 1 month
Re: (ITS#5655) add option for setting minimum TLS/SSL protocol
by guenther+ldapdev@sendmail.com
On Wed, 13 Aug 2008, Howard Chu wrote:
> Philip Guenther wrote:
...
> > OpenSSL's API for this is a bitfield with symbolic names, so there
> > would still need to be a maintained mapping from whatever schema
> > OpenLDAP provided to that bit set.
>
> Yes, but there's no forward compatibility impact from this. I.e., if we
> have to map numbers to bitfields, we can just have a default case: if
> the number is higher than any we recognize, just disable all the bits we
> know about and assume the TLS library is smart enough to do something
> useful with whatever is left.
Hmm, with a warning in the docs "if you set this option to a value beyond
the range understood by your version of OpenLDAP or the underlying SSL
library, it may enforce a lower minimum or fail completely".
So instead of writing
TLS_PROTOCOL_MIN TLSv1.0
they would write
TLS_PROTOCOL_MIN 3,1
etc? I guess that's acceptable to me, albeit a little user unfriendly.
> > I guess an alternative would be to directly expose the
> > SSL_CTX_set_options() API: TLS_OPTIONS would take a number and pass it
> > directly to that call. Of course, the admin would have to read the .h
> > file and do some math to figure out what to set, and there's no guarantee
> > that OpenSSL won't change those values across a version change...
>
> I think at this point we need to get away from using implementation-specific
> values. Back when OpenSSL was the only game in town I wouldn't have worried
> too much about it, but now it's becoming more of an issue.
I guess I shouldn't have left out the "<joke>" brackets around that.
Philip
15 years, 1 month
Re: (ITS#5655) add option for setting minimum TLS/SSL protocol
by hyc@symas.com
Philip Guenther wrote:
> On Wed, 13 Aug 2008, Howard Chu wrote:
>> This should use a single option flag and a numeric or bitfield argument
>> for selecting protocols instead. Since we're talking about minimum
>> settings, it should likely just be an increasing range of numbers.
>>
>> I note that the on-the-wire protocol version is just a 16 bit integer;
>> we could define protocol names that correspond directly to these values.
>
> OpenSSL's API for this is a bitfield with symbolic names, so there would
> still need to be a maintained mapping from whatever schema OpenLDAP
> provided to that bit set.
Yes, but there's no forward compatibility impact from this. I.e., if we have
to map numbers to bitfields, we can just have a default case: if the number is
higher than any we recognize, just disable all the bits we know about and
assume the TLS library is smart enough to do something useful with whatever is
left.
> I guess an alternative would be to directly expose the
> SSL_CTX_set_options() API: TLS_OPTIONS would take a number and pass it
> directly to that call. Of course, the admin would have to read the .h
> file and do some math to figure out what to set, and there's no guarantee
> that OpenSSL won't change those values across a version change...
I think at this point we need to get away from using implementation-specific
values. Back when OpenSSL was the only game in town I wouldn't have worried
too much about it, but now it's becoming more of an issue.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
15 years, 1 month
Re: (ITS#5655) add option for setting minimum TLS/SSL protocol
by guenther+ldapdev@sendmail.com
On Wed, 13 Aug 2008, Howard Chu wrote:
> This should use a single option flag and a numeric or bitfield argument
> for selecting protocols instead. Since we're talking about minimum
> settings, it should likely just be an increasing range of numbers.
>
> I note that the on-the-wire protocol version is just a 16 bit integer;
> we could define protocol names that correspond directly to these values.
OpenSSL's API for this is a bitfield with symbolic names, so there would
still need to be a maintained mapping from whatever schema OpenLDAP
provided to that bit set.
I guess an alternative would be to directly expose the
SSL_CTX_set_options() API: TLS_OPTIONS would take a number and pass it
directly to that call. Of course, the admin would have to read the .h
file and do some math to figure out what to set, and there's no guarantee
that OpenSSL won't change those values across a version change...
Philip Guenther
15 years, 1 month
Re: (ITS#5655) add option for setting minimum TLS/SSL protocol
by guenther+ldapdev@sendmail.com
On Thu, 14 Aug 2008, Michael Ströder wrote:
...
> From my understanding this is what LDAP_OPT_X_TLS_CIPHER_SUITE is for,
> isn't it? It's directly passed to OpenSSL and can also be used to enable
> or disable SSLv2, SSLv3 and TLSv1 besides choosing the ciphers itself.
Nope. The cipher suite list and protocol versions supported are
orthogonal: even if you include "!SSLv2" in your cipher suite, openssl
will still send an SSLv2-compatible handshake. Ditto on the server side:
when OpenSSL announced a vulnerability in the server SSLv2 handshake code,
I looked at whether specifying "!SSLv2" in the cipher spec would protect
the server as a workaround. Nope: only setting the SSL_OP_NO_SSLv2 option
or using a SSLv3-only or TLSv1-only method would do it.
> Apache HTTP server does it also that way. See:
> http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslciphersuite
They also have the "SSLProtocol" directive, further down on that page.
Philip Guenther
15 years, 1 month
