From siddjain@live.com Wed Apr 24 16:26:51 2019
From: siddjain@live.com
To: openldap-bugs@openldap.org
Subject: Re: (ITS#9014) OpenLDAP modifies user provided TLS certificate before
 sending it to client
Date: Wed, 24 Apr 2019 16:26:49 +0000
Message-ID: <E1hJKjR-0006kn-AG@gauss.openldap.net>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============6013370356599914543=="

--===============6013370356599914543==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

--_000_MWHPR08MB24001BB2C0F56927A628AF69B53C0MWHPR08MB2400namp_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

we have documented complete steps to repro the bug here<https://github.com/=
siddjain/openldap-bug> with container logs.

________________________________
From: Howard Chu <hyc(a)symas.com>
Sent: Monday, April 22, 2019 10:15 AM
To: siddjain(a)live.com; openldap-its(a)OpenLDAP.org
Subject: Re: (ITS#9014) OpenLDAP modifies user provided TLS certificate bef=
ore sending it to client

siddjain(a)live.com wrote:
> Full_Name: SIDDHARTH JAIN
> Version: 2.4.45
> OS: Linux
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (173.226.196.10)
>
>
> In some cases, OpenLDAP will modify the TLS certificate given to it befor=
e
> sending it over to the client resulting in a certificate signature error.=
 An
> example of certificate it modifies is given below:

OpenLDAP never touches the certificates you configure. If you're getting a =
corrupted
certificate then there's either a bug in your storage/filesystem or in your=
 SSL/TLS library.

--
  -- Howard Chu
  CTO, Symas Corp.           https://eur04.safelinks.protection.outlook.com=
/?url=3Dhttp%3A%2F%2Fwww.symas.com&amp;data=3D02%7C01%7C%7Cb0dec02e090a48ff=
954b08d6c7462da0%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C6369155015543=
63548&amp;sdata=3D7ca82woC2PGsf9x0qYDT1izZ5MSqJbxA4T9m8kq5y2Y%3D&amp;reserv=
ed=3D0
  Director, Highland Sun     https://eur04.safelinks.protection.outlook.com=
/?url=3Dhttp%3A%2F%2Fhighlandsun.com%2Fhyc%2F&amp;data=3D02%7C01%7C%7Cb0dec=
02e090a48ff954b08d6c7462da0%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C63=
6915501554363548&amp;sdata=3DFr3v%2FI3WSXtWqXOFDY%2F9Z4%2FqS%2F%2FvC4YMJQDR=
GNjx8Lo%3D&amp;reserved=3D0
  Chief Architect, OpenLDAP  https://eur04.safelinks.protection.outlook.com=
/?url=3Dhttp%3A%2F%2Fwww.openldap.org%2Fproject%2F&amp;data=3D02%7C01%7C%7C=
b0dec02e090a48ff954b08d6c7462da0%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0=
%7C636915501554373561&amp;sdata=3DJ%2B926RRaeQIx6%2BIvx70BnHqZ0zj4SO5ilR6VP=
vdiTsk%3D&amp;reserved=3D0

--_000_MWHPR08MB24001BB2C0F56927A628AF69B53C0MWHPR08MB2400namp_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Diso-8859-=
1">
<style type=3D"text/css" style=3D"display:none;"> P {margin-top:0;margin-bo=
ttom:0;} </style>
</head>
<body dir=3D"ltr">
<div style=3D"font-family: Calibri, Helvetica, sans-serif; font-size: 12pt;=
 color: rgb(0, 0, 0);">
<span style=3D"color: rgb(36, 41, 46); font-family: -apple-system, system-u=
i, &quot;Segoe UI&quot;, Helvetica, Arial, sans-serif, &quot;Apple Color Em=
oji&quot;, &quot;Segoe UI Emoji&quot;, &quot;Segoe UI Symbol&quot;; font-si=
ze: 14px; background-color: rgb(255, 255, 255); display: inline !important"=
>we
 have documented complete steps to repro the bug<span>&nbsp;</span></span><=
a href=3D"https://github.com/siddjain/openldap-bug" style=3D"box-sizing: bo=
rder-box; background-color: rgb(255, 255, 255); color: rgb(3, 102, 214); fo=
nt-family: -apple-system, system-ui, &quot;Segoe UI&quot;, Helvetica, Arial=
, sans-serif, &quot;Apple Color Emoji&quot;, &quot;Segoe UI Emoji&quot;, &q=
uot;Segoe UI Symbol&quot;; font-size: 14px">here</a><span style=3D"color: r=
gb(36, 41, 46); font-family: -apple-system, system-ui, &quot;Segoe UI&quot;=
, Helvetica, Arial, sans-serif, &quot;Apple Color Emoji&quot;, &quot;Segoe =
UI Emoji&quot;, &quot;Segoe UI Symbol&quot;; font-size: 14px; background-co=
lor: rgb(255, 255, 255); display: inline !important"><span>&nbsp;</span>wit=
h
 container logs.</span><br>
</div>
<div>
<div id=3D"appendonsend"></div>
<div style=3D"font-family:Calibri,Helvetica,sans-serif; font-size:12pt; col=
or:rgb(0,0,0)">
<br>
</div>
<hr tabindex=3D"-1" style=3D"display:inline-block; width:98%">
<div id=3D"divRplyFwdMsg" dir=3D"ltr"><font face=3D"Calibri, sans-serif" co=
lor=3D"#000000" style=3D"font-size:11pt"><b>From:</b> Howard Chu &lt;hyc(a)sy=
mas.com&gt;<br>
<b>Sent:</b> Monday, April 22, 2019 10:15 AM<br>
<b>To:</b> siddjain(a)live.com; openldap-its(a)OpenLDAP.org<br>
<b>Subject:</b> Re: (ITS#9014) OpenLDAP modifies user provided TLS certific=
ate before sending it to client</font>
<div>&nbsp;</div>
</div>
<div class=3D"BodyFragment"><font size=3D"2"><span style=3D"font-size:11pt"=
>
<div class=3D"PlainText">siddjain(a)live.com wrote:<br>
&gt; Full_Name: SIDDHARTH JAIN<br>
&gt; Version: 2.4.45<br>
&gt; OS: Linux<br>
&gt; URL: <a href=3D"ftp://ftp.openldap.org/incoming/">ftp://ftp.openldap.o=
rg/incoming/</a><br>
&gt; Submission from: (NULL) (173.226.196.10)<br>
&gt; <br>
&gt; <br>
&gt; In some cases, OpenLDAP will modify the TLS certificate given to it be=
fore<br>
&gt; sending it over to the client resulting in a certificate signature err=
or. An<br>
&gt; example of certificate it modifies is given below:<br>
<br>
OpenLDAP never touches the certificates you configure. If you're getting a =
corrupted<br>
certificate then there's either a bug in your storage/filesystem or in your=
 SSL/TLS library.<br>
<br>
-- <br>
&nbsp; -- Howard Chu<br>
&nbsp; CTO, Symas Corp.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp; <a href=3D"https://eur04.safelinks.protection.outlook.com/?url=3Dh=
ttp%3A%2F%2Fwww.symas.com&amp;amp;data=3D02%7C01%7C%7Cb0dec02e090a48ff954b0=
8d6c7462da0%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636915501554363548=
&amp;amp;sdata=3D7ca82woC2PGsf9x0qYDT1izZ5MSqJbxA4T9m8kq5y2Y%3D&amp;amp;res=
erved=3D0">
https://eur04.safelinks.protection.outlook.com/?url=3Dhttp%3A%2F%2Fwww.syma=
s.com&amp;amp;data=3D02%7C01%7C%7Cb0dec02e090a48ff954b08d6c7462da0%7C84df9e=
7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636915501554363548&amp;amp;sdata=3D7ca=
82woC2PGsf9x0qYDT1izZ5MSqJbxA4T9m8kq5y2Y%3D&amp;amp;reserved=3D0</a><br>
&nbsp; Director, Highland Sun&nbsp;&nbsp;&nbsp;&nbsp; <a href=3D"https://eu=
r04.safelinks.protection.outlook.com/?url=3Dhttp%3A%2F%2Fhighlandsun.com%2F=
hyc%2F&amp;amp;data=3D02%7C01%7C%7Cb0dec02e090a48ff954b08d6c7462da0%7C84df9=
e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636915501554363548&amp;amp;sdata=3DFr=
3v%2FI3WSXtWqXOFDY%2F9Z4%2FqS%2F%2FvC4YMJQDRGNjx8Lo%3D&amp;amp;reserved=3D0=
">
https://eur04.safelinks.protection.outlook.com/?url=3Dhttp%3A%2F%2Fhighland=
sun.com%2Fhyc%2F&amp;amp;data=3D02%7C01%7C%7Cb0dec02e090a48ff954b08d6c7462d=
a0%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636915501554363548&amp;amp;=
sdata=3DFr3v%2FI3WSXtWqXOFDY%2F9Z4%2FqS%2F%2FvC4YMJQDRGNjx8Lo%3D&amp;amp;re=
served=3D0</a><br>
&nbsp; Chief Architect, OpenLDAP&nbsp; <a href=3D"https://eur04.safelinks.p=
rotection.outlook.com/?url=3Dhttp%3A%2F%2Fwww.openldap.org%2Fproject%2F&amp=
;amp;data=3D02%7C01%7C%7Cb0dec02e090a48ff954b08d6c7462da0%7C84df9e7fe9f640a=
fb435aaaaaaaaaaaa%7C1%7C0%7C636915501554373561&amp;amp;sdata=3DJ%2B926RRaeQ=
Ix6%2BIvx70BnHqZ0zj4SO5ilR6VPvdiTsk%3D&amp;amp;reserved=3D0">
https://eur04.safelinks.protection.outlook.com/?url=3Dhttp%3A%2F%2Fwww.open=
ldap.org%2Fproject%2F&amp;amp;data=3D02%7C01%7C%7Cb0dec02e090a48ff954b08d6c=
7462da0%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636915501554373561&amp=
;amp;sdata=3DJ%2B926RRaeQIx6%2BIvx70BnHqZ0zj4SO5ilR6VPvdiTsk%3D&amp;amp;res=
erved=3D0</a><br>
</div>
</span></font></div>
</div>
</body>
</html>

--_000_MWHPR08MB24001BB2C0F56927A628AF69B53C0MWHPR08MB2400namp_--




--===============6013370356599914543==--