openldap-bugs

openldap-bugs@openldap.org

1 participants
21003 discussions

Re: (ITS#6589) Patch - Mozilla NSS - support use of self signed CA certs as server certs
by rmeggins＠redhat.com 14 Jul '10

14 Jul '10

Howard Chu wrote: > Rich Megginson wrote: >> Howard Chu wrote: >>> rmeggins(a)redhat.com wrote: >>>> Full_Name: Rich Megginson >>>> Version: 2.4.23 >>>> OS: Fedora >>>> URL: >>>> ftp://ftp.openldap.org/incoming/openldap-2.4.23-selfsignedcacert-20100714.p… >>>> >>>> >>>> Submission from: (NULL) (76.113.111.209) >>>> >>>> >>>> MozNSS doesn't like self-signed CA certs that are also used for >>>> TLS/SSL server certs (such as generated by openssl req -x509) >>>> CERT_VerifyCertificateNow returns SEC_ERROR_UNTRUSTED_ISSUER in that >>>> case >>>> so, see if the cert and issuer are the same cert, and allow the >>>> use of it (with a warning) >>> >>> If you checked to see if the issuer is already trusted, I guess the >>> patch is OK. >>> >>> But that aside, MozNSS's behavior sounds correct to me, and our >>> documentation says to use explicit CA certs, separate from the server >>> cert. Is it really a good idea to break this validation check? >> Probably not, but openssl seems to allow it. This provides parity with >> the openssl implementation. >> >> This issue came up when testing openldap with NSS support in Fedora. >> The Fedora package creates a self signed CA cert using openssl req >> -x509. This works with openldap+openssl, but fails with >> openldap+moznss. > > In the OpenSSL case, it only succeeds if the cert is configured as > both a CA cert and a server cert. I.e., the client must have been > configured to trust the cert already. I believe for your patch, it > should fail when CERT_FindCertIssuer() returns NULL. No? You are correct. I've uploaded a new patch. URL: ftp://ftp.openldap.org/incoming/openldap-2.4.23-selfsignedcacert-20100714-2… <ftp://ftp.openldap.org/incoming/openldap-2.4.23-selfsignedcacert-20100714.p…> Here is the diff between the two patches: 32,34c32 < + /* no issuer - warn and allow */ < + status = SECSuccess; < + rc = 0; --- > + /* no issuer - fail */ 36c34 < + "TLS: warning: the server certificate %s has no issuer - " --- > + "TLS: error: the server certificate %s has no issuer - " > >>> Also, where does this check occur in the main sequence of verification >>> - has the BasicConstraints, KeyUsage, and/or NetscapeCertType already >>> been checked successfully? >> Yes. This check occurs in the cert chain processing, which is done >> last. > > OK. >

1 0

ITS#6570 published: SECURITY: Two OpenLDAP preauth vulnerabilities
by openldap-its＠OpenLDAP.org 14 Jul '10

14 Jul '10

Private ITS#6570 is now publicly readable URL: http://www.OpenLDAP.org/its/?findid=6570

1 0

Re: (ITS#6589) Patch - Mozilla NSS - support use of self signed CA certs as server certs
by hyc＠symas.com 14 Jul '10

14 Jul '10

Rich Megginson wrote: > Howard Chu wrote: >> rmeggins(a)redhat.com wrote: >>> Full_Name: Rich Megginson >>> Version: 2.4.23 >>> OS: Fedora >>> URL: >>> ftp://ftp.openldap.org/incoming/openldap-2.4.23-selfsignedcacert-20100714.p… >>> >>> Submission from: (NULL) (76.113.111.209) >>> >>> >>> MozNSS doesn't like self-signed CA certs that are also used for >>> TLS/SSL server certs (such as generated by openssl req -x509) >>> CERT_VerifyCertificateNow returns SEC_ERROR_UNTRUSTED_ISSUER in that >>> case >>> so, see if the cert and issuer are the same cert, and allow the >>> use of it (with a warning) >> >> If you checked to see if the issuer is already trusted, I guess the >> patch is OK. >> >> But that aside, MozNSS's behavior sounds correct to me, and our >> documentation says to use explicit CA certs, separate from the server >> cert. Is it really a good idea to break this validation check? > Probably not, but openssl seems to allow it. This provides parity with > the openssl implementation. > > This issue came up when testing openldap with NSS support in Fedora. > The Fedora package creates a self signed CA cert using openssl req > -x509. This works with openldap+openssl, but fails with openldap+moznss. In the OpenSSL case, it only succeeds if the cert is configured as both a CA cert and a server cert. I.e., the client must have been configured to trust the cert already. I believe for your patch, it should fail when CERT_FindCertIssuer() returns NULL. No? >> Also, where does this check occur in the main sequence of verification >> - has the BasicConstraints, KeyUsage, and/or NetscapeCertType already >> been checked successfully? > Yes. This check occurs in the cert chain processing, which is done last. OK. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#6589) Patch - Mozilla NSS - support use of self signed CA certs as server certs
by rmeggins＠redhat.com 14 Jul '10

14 Jul '10

Howard Chu wrote: > rmeggins(a)redhat.com wrote: >> Full_Name: Rich Megginson >> Version: 2.4.23 >> OS: Fedora >> URL: >> ftp://ftp.openldap.org/incoming/openldap-2.4.23-selfsignedcacert-20100714.p… >> >> Submission from: (NULL) (76.113.111.209) >> >> >> MozNSS doesn't like self-signed CA certs that are also used for >> TLS/SSL server certs (such as generated by openssl req -x509) >> CERT_VerifyCertificateNow returns SEC_ERROR_UNTRUSTED_ISSUER in that >> case >> so, see if the cert and issuer are the same cert, and allow the >> use of it (with a warning) > > If you checked to see if the issuer is already trusted, I guess the > patch is OK. > > But that aside, MozNSS's behavior sounds correct to me, and our > documentation says to use explicit CA certs, separate from the server > cert. Is it really a good idea to break this validation check? Probably not, but openssl seems to allow it. This provides parity with the openssl implementation. This issue came up when testing openldap with NSS support in Fedora. The Fedora package creates a self signed CA cert using openssl req -x509. This works with openldap+openssl, but fails with openldap+moznss. > > Also, where does this check occur in the main sequence of verification > - has the BasicConstraints, KeyUsage, and/or NetscapeCertType already > been checked successfully? Yes. This check occurs in the cert chain processing, which is done last. > >> This patch file is derived from OpenLDAP Software. All of the >> modifications to OpenLDAP Software represented in the following >> patch(es) were developed by Red Hat. Red Hat has not assigned rights >> and/or interest in this work to any party. I, Rich Megginson am >> authorized by Red Hat, my employer, to release this work under the >> following terms. >> >> Red Hat hereby place the following modifications to OpenLDAP Software >> (and only these modifications) into the public domain. Hence, these >> modifications may be freely used and/or redistributed for any purpose >> with or without attribution and/or other notice. >

1 0

Re: (ITS#6589) Patch - Mozilla NSS - support use of self signed CA certs as server certs
by hyc＠symas.com 14 Jul '10

14 Jul '10

rmeggins(a)redhat.com wrote: > Full_Name: Rich Megginson > Version: 2.4.23 > OS: Fedora > URL: ftp://ftp.openldap.org/incoming/openldap-2.4.23-selfsignedcacert-20100714.p… > Submission from: (NULL) (76.113.111.209) > > > MozNSS doesn't like self-signed CA certs that are also used for > TLS/SSL server certs (such as generated by openssl req -x509) > CERT_VerifyCertificateNow returns SEC_ERROR_UNTRUSTED_ISSUER in that case > so, see if the cert and issuer are the same cert, and allow the > use of it (with a warning) If you checked to see if the issuer is already trusted, I guess the patch is OK. But that aside, MozNSS's behavior sounds correct to me, and our documentation says to use explicit CA certs, separate from the server cert. Is it really a good idea to break this validation check? Also, where does this check occur in the main sequence of verification - has the BasicConstraints, KeyUsage, and/or NetscapeCertType already been checked successfully? > This patch file is derived from OpenLDAP Software. All of the > modifications to OpenLDAP Software represented in the following > patch(es) were developed by Red Hat. Red Hat has not assigned rights > and/or interest in this work to any party. I, Rich Megginson am > authorized by Red Hat, my employer, to release this work under the > following terms. > > Red Hat hereby place the following modifications to OpenLDAP Software > (and only these modifications) into the public domain. Hence, these > modifications may be freely used and/or redistributed for any purpose > with or without attribution and/or other notice. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

(ITS#6589) Patch - Mozilla NSS - support use of self signed CA certs as server certs
by rmeggins＠redhat.com 14 Jul '10

14 Jul '10

Full_Name: Rich Megginson Version: 2.4.23 OS: Fedora URL: ftp://ftp.openldap.org/incoming/openldap-2.4.23-selfsignedcacert-20100714.p… Submission from: (NULL) (76.113.111.209) MozNSS doesn't like self-signed CA certs that are also used for TLS/SSL server certs (such as generated by openssl req -x509) CERT_VerifyCertificateNow returns SEC_ERROR_UNTRUSTED_ISSUER in that case so, see if the cert and issuer are the same cert, and allow the use of it (with a warning) This patch file is derived from OpenLDAP Software. All of the modifications to OpenLDAP Software represented in the following patch(es) were developed by Red Hat. Red Hat has not assigned rights and/or interest in this work to any party. I, Rich Megginson am authorized by Red Hat, my employer, to release this work under the following terms. Red Hat hereby place the following modifications to OpenLDAP Software (and only these modifications) into the public domain. Hence, these modifications may be freely used and/or redistributed for any purpose with or without attribution and/or other notice.

1 0

Re: (ITS#6588) Change log not up to date on www.openldap.org
by Kurt＠OpenLDAP.org 13 Jul '10

13 Jul '10

On Jul 13, 2010, at 2:39 AM, jonathan(a)phillipoux.net wrote: > Full_Name: Jonathan Clarke > Version: 2.4.23 > OS:=20 > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (84.14.151.50) >=20 >=20 > The page at http://www.openldap.org/software/release/changes.html only = lists > changes for the 2.4.22 release, although 2.4.23 is now released. Fixed. -- Kurt

1 0

(ITS#6588) Change log not up to date on www.openldap.org
by jonathan＠phillipoux.net 13 Jul '10

13 Jul '10

Full_Name: Jonathan Clarke Version: 2.4.23 OS: URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (84.14.151.50) The page at http://www.openldap.org/software/release/changes.html only lists changes for the 2.4.22 release, although 2.4.23 is now released. This should be updated, I guess! In the mean time, changes can be consulted here: http://www.openldap.org/devel/cvsweb.cgi/~checkout~/Attic/CHANGES?rev=1.5.1…

1 0

Re: (ITS#6585) close is called from dap_unbind_s with fd = -1
by asifiqbal.desai＠gmail.com 12 Jul '10

12 Jul '10

Can somebody take a look at this issue. Note that the issue here is with close() being called from ldap_unbind_s with fd = (-1). Please read the first line in my original bug description email as: This is a consulation bug for clarification on close() being called from ldap_unbind_s with fd = -1.

1 0

Re: (ITS#6587) lconn_refcnt is not thread-safe
by hyc＠symas.com 10 Jul '10

10 Jul '10

test.007(a)seznam.cz wrote: > Full_Name: Test Seven > Version: 2.4.22 > OS: Windows > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (195.113.184.10) > > > lconn_refcnt is read and written without any sync mechanism, which may cause > subtle multi-threading issues. You're mistaken. ld->ld_res_mutex is owned in all cases where lc->lconn_refcnt is touched. > E.g. libldap/result.c -r1.172 > #ifdef LDAP_R_COMPILE > ldap_pvt_thread_mutex_unlock(&ld->ld_conn_mutex ); > #endif > rc = try_read1msg( ld, msgid, all, lc, result ); > lnext = lc->lconn_next; > /* Only take locks if we're really freeing */ > if ( lc->lconn_refcnt<= 1 ) { > #ifdef LDAP_R_COMPILE > ldap_pvt_thread_mutex_lock(&ld->ld_req_mutex ); > #endif > ldap_free_connection( ld, lc, 0, 1 ); > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs