June 2012 - openldap-bugs

(ITS#7290) ldap_int_initialize() routine doesn't setup debug-level when calling ldap_int_initialize_global_options() routine

by sheng-yu.chen＠hp.com

Full_Name: Sheng-Yu.Chen Version: all OS: Windows7 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (15.195.201.86) 1. Initialize the OpenLDAP debug-level by call ldap_set_option(NULL, LBER_OPT_DEBUG_LEVEL, 127). Note, ldap_set_option() is the first call to OpenLDAP libraries which would trigger the ldap_int_initialize() 2. In ldap_int_initialize(), OpenLDAP will call ldap_int_initialize_global_options(gopts, NULL), which means it would ignore the debug-level value 3. So the result is all the debug information happened in ldap_int_initialize_global_options() WILL be ignored.

10 years, 9 months

1
0
0 / 0

Re: (ITS#7289) Mozilla NSS: cipher suite selection by name may be ignored

by tim.strobell.ctr＠nrl.navy.mil

Forgot to add that this bug is (was) masked by ITS#7285.

10 years, 9 months

1
0
0 / 0

(ITS#7289) Mozilla NSS: cipher suite selection by name may be ignored

by tim.strobell.ctr＠nrl.navy.mil

Full_Name: Tim Strobell Version: HEAD OS: RHEL6 URL: ftp://ftp.openldap.org/incoming/tim-strobell-2012060501.patch Submission from: (NULL) (2001:480:20:112:210:18ff:fe19:b000) Under certain circumstances, cipher suite selection by name ("OpenSSL name") may inadvertently cause any additional named cipher selections to be ignored. In tls_m.c:625... for (i=0; i<ciphernum; i++) { if (!strcmp(ciphers_def[i].ossl_name, cipher) && cipher_list[1] != -1) cipher_list[i] = action; } The index into cipher_list on line 627 is 1 (one) but should be i (eye). Any cipher selection that disables RC2-CBC-MD5 (cipher_list[1]) will not add/subtract/disable (action = 1, 0, -1 resp.) any further named ciphers in the list.

10 years, 9 months

1
0
0 / 0

(ITS#7288) Doc update for MemberOf Overlay: add cn=config info

by openldap＠stompro.org

Full_Name: Josh Stompro Version: HEAD OS: Debian URL: ftp://ftp.openldap.org/incoming/josh-stompro-120605.patch Submission from: (NULL) (216.239.28.98) I uploaded a patch to openldap incoming ftp server name josh-stompro-120605.patch. This patch updates the man page for the MemberOf Overlay to include cn=config style instructions, and update the config option names so they comply with the cn=config style. I had to resort to google to figure out how to add this overlay since I'm not all that familiar with the cn=config format yet, and the documentation doesn't make it easy to figure out. I found an article on serverfault[1] that had the examples I needed to get it to work. This is my attempt to make it easier for the next individual. I, Josh Stompro, hereby place the following modifications to OpenLDAP Software (and only these modifications) into the public domain. Hence, these modifications may be freely used and/or redistributed for any purpose with or without attribution and/or other notice. 1 - http://serverfault.com/questions/73213/how-do-i-configure-reverse-group-m...

10 years, 9 months

1
0
0 / 0

Re: (ITS#7286) Malformed search filter to back-ldap/slapo-rwm crashes slapd

by masarati＠aero.polimi.it

On 06/05/2012 12:48 PM, hyc(a)symas.com wrote: > gahaverkamp(a)lbl.gov wrote: >> --e89a8fb1fbfae973ef04c1b0bad6 >> Content-Type: text/plain; charset=ISO-8859-1 >> >> I thought I had, but I now see that I left off "full". >> >> (gdb) bt full > > We slso need to see the slapd config. Without carefully looking at it, it could be related to reinstalling the original context because of the error. See ITS#6166. p. -- Pierangelo Masarati Associate Professor Dipartimento di Ingegneria Aerospaziale Politecnico di Milano

10 years, 9 months

1
0
0 / 0

Re: (ITS#7286) Malformed search filter to back-ldap/slapo-rwm crashes slapd

by hyc＠symas.com

gahaverkamp(a)lbl.gov wrote: > --e89a8fb1fbfae973ef04c1b0bad6 > Content-Type: text/plain; charset=ISO-8859-1 > > I thought I had, but I now see that I left off "full". > > (gdb) bt full We slso need to see the slapd config. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

10 years, 9 months

1
0
0 / 0

Re: (ITS#7287) [PATCH] MozNSS: do not overwrite error in tlsm_verify_cert

by hyc＠symas.com

jvcelak(a)redhat.com wrote: > Full_Name: Jan Vcelak > Version: git master > OS: Linux > URL: ftp://ftp.openldap.org/incoming/jvcelak-20120605-moznss-overwrite-error-i... > Submission from: (NULL) (209.132.186.34) > > > If the peer certificate verification fails and the certificate does not contain > Basic Constraint Extension, wrong TLS error message is reported by the library. > In addition, TLS_REQCERT=never does not work in this situation. This is caused > by overwriting the original error code in tlsm_verify_cert() function. > > Attached patch fixes this behavior. Applied to master. > > Old version: > > $ ldapsearch -x -ZZ > ldap_start_tls: Connect error (-11) > additional info: TLS error -8157:Certificate extension not found. > > Fixed version: > > $ ldapsearch -x -ZZ > ldap_start_tls: Connect error (-11) > additional info: TLS error -8172:Peer's certificate issuer has been > marked as not trusted by the user. > > > The attached file is derived from OpenLDAP Software. All of the modifications to > OpenLDAP Software represented in the following patch(es) were developed by Red > Hat. Red Hat has not assigned rights and/or interest in this work to any party. > I, Jan Vcelak am authorized by Red Hat, my employer, to release this work under > the following terms. > > Red Hat hereby place the following modifications to OpenLDAP Software (and only > these modifications) into the public domain. Hence, these modifications may be > freely used and/or redistributed for any purpose with or without attribution > and/or other notice. > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

10 years, 9 months

1
0
0 / 0

Re: (ITS#7285) Mozilla NSS: default cipher suite always selected

by hyc＠symas.com

jvcelak(a)redhat.com wrote: > The patch is fine. I was just about to send exactly the same. We have a > report in our bugzilla for this. Thanks for the confirmation, fixed now in master. > > On Monday 04 of June 2012 21:56:08, tim.strobell.ctr(a)nrl.navy.mil wrote: >> Full_Name: Tim Strobell >> Version: HEAD >> OS: RHEL6 >> URL: ftp://ftp.openldap.org/incoming/tim-strobell-2012060401.patch >> Submission from: (NULL) (2001:480:20:112:210:18ff:fe19:b000) >> >> >> When using NSS, the default cipher suite selection is used even when >> TLSCipherSuite is explicitly specified. This behavior was introduced in the >> patch provided in ITS#6790. >> >> At tls_m.c:2221... >> >> if ( lt->lt_ciphersuite && >> tlsm_parse_ciphers( ctx, lt->lt_ciphersuite )) { >> [ error, return ] >> } else if ( tlsm_parse_ciphers( ctx, "DEFAULT" ) ) { >> [ error, return ] >> } >> >> tlsm_parse_ciphers returns 0 on success; the else path is always followed >> and overrides the previous cipher suite selection. > > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

10 years, 9 months

1
0
0 / 0

(ITS#7287) [PATCH] MozNSS: do not overwrite error in tlsm_verify_cert

by jvcelak＠redhat.com

Full_Name: Jan Vcelak Version: git master OS: Linux URL: ftp://ftp.openldap.org/incoming/jvcelak-20120605-moznss-overwrite-error-i... Submission from: (NULL) (209.132.186.34) If the peer certificate verification fails and the certificate does not contain Basic Constraint Extension, wrong TLS error message is reported by the library. In addition, TLS_REQCERT=never does not work in this situation. This is caused by overwriting the original error code in tlsm_verify_cert() function. Attached patch fixes this behavior. Old version: $ ldapsearch -x -ZZ ldap_start_tls: Connect error (-11) additional info: TLS error -8157:Certificate extension not found. Fixed version: $ ldapsearch -x -ZZ ldap_start_tls: Connect error (-11) additional info: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user. The attached file is derived from OpenLDAP Software. All of the modifications to OpenLDAP Software represented in the following patch(es) were developed by Red Hat. Red Hat has not assigned rights and/or interest in this work to any party. I, Jan Vcelak am authorized by Red Hat, my employer, to release this work under the following terms. Red Hat hereby place the following modifications to OpenLDAP Software (and only these modifications) into the public domain. Hence, these modifications may be freely used and/or redistributed for any purpose with or without attribution and/or other notice.

10 years, 9 months

1
0
0 / 0

Re: (ITS#7285) Mozilla NSS: default cipher suite always selected

by jvcelak＠redhat.com

The patch is fine. I was just about to send exactly the same. We have a report in our bugzilla for this. On Monday 04 of June 2012 21:56:08, tim.strobell.ctr(a)nrl.navy.mil wrote: > Full_Name: Tim Strobell > Version: HEAD > OS: RHEL6 > URL: ftp://ftp.openldap.org/incoming/tim-strobell-2012060401.patch > Submission from: (NULL) (2001:480:20:112:210:18ff:fe19:b000) > > > When using NSS, the default cipher suite selection is used even when > TLSCipherSuite is explicitly specified. This behavior was introduced in the > patch provided in ITS#6790. > > At tls_m.c:2221... > > if ( lt->lt_ciphersuite && > tlsm_parse_ciphers( ctx, lt->lt_ciphersuite )) { > [ error, return ] > } else if ( tlsm_parse_ciphers( ctx, "DEFAULT" ) ) { > [ error, return ] > } > > tlsm_parse_ciphers returns 0 on success; the else path is always followed > and overrides the previous cipher suite selection.

10 years, 9 months

1
0
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs June 2012