openldap-bugs

openldap-bugs@openldap.org

1 participants
21065 discussions

Re: (ITS#7632) ldap_start_tls_s core dumps for 64 bit
by quanah＠symas.com 29 Apr '19

29 Apr '19

--On Wednesday, June 26, 2013 6:20 AM +0000 a16474(a)gmail.com wrote: > Full_Name: Amit Sinha > Version: openldap-2.4.35 > OS: Linux 2.6.18-308.11.1.el5 > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (72.163.217.105) > > > When i compile and run the below code on linux 64 bit, it core dumps in > ldap_start_tls_s(). Hello, Thank you for the report! I apologize for the (very very long) delay in response. This issue no longer seems to occur with current OpenLDAP/OpenSSL releases (nor does it happen with OpenLDAP/GnuTLS). I believe one of the many fixes to OpenLDAP's TLS code has since resolved this issue. I tested with both OpenSSL 1.0.2k and 1.1.1b. This ITS will be closed. Warm regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Re: (ITS#9015) Replication goes haywire querying promoted master
by ondra＠mistotebe.net 26 Apr '19

26 Apr '19

On Wed, Apr 24, 2019 at 01:30:18PM +0000, ondra(a)mistotebe.net wrote: > On Tue, Apr 23, 2019 at 11:28:40PM +0000, quanah(a)symas.com wrote: >> The consumer did not replicate the database as a part of the initial >> search, so I don't think it qualifies as "up to date". I.e., it's primary >> DB remains empty. > > Ah, that wasn't mentioned, my assumption was that the source DB was > actually empty. > > This is coming from ITS#8281 fix in cd8ff37629012c1676ef79de164a159da9b2ae89. I've pushed a change that makes sure we end up with a contexCSN, generating one if necessary whenever we're configured to be a master (olcMirrorMode is set or no olcSyncrepl exists) here: https://github.com/mistotebe/openldap/tree/its9015 It's kind of a followup on this (reverting part of ITS#8281 above): https://www.openldap.org/lists/openldap-devel/201904/msg00015.html -- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP

1 0

Re: (ITS#9014) OpenLDAP modifies user provided TLS certificate before sending it to client
by siddjain＠live.com 24 Apr '19

24 Apr '19

--_000_MWHPR08MB2400D7AE5E8EEC3D17192FACB53C0MWHPR08MB2400namp_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Thank you. we tried using another openldap image and that worked. so it see= ms the problem is with the osixia docker image we were using to run openlda= p. it is based on debian (which uses GnuTLS per your email) so tbh we are s= urprised it would have such a bug in it. the image that worked for us is ba= sed on alpine. https://github.com/osixia/docker-light-baseimage/blob/stable/image/Dockerfi= le https://github.com/tiredofit/docker-openldap/blob/master/Dockerfile but back to your comment, how can one isolate what TLS/SSL library OpenLDAP= is linked to in the environment you're using? [https://avatars0.githubusercontent.com/u/23528985?s=3D400&v=3D4]<https://g= ithub.com/tiredofit/docker-openldap/blob/master/Dockerfile> docker-openldap/Dockerfile at master =B7 tiredofit/docker-openldap =B7 GitH= ub<https://github.com/tiredofit/docker-openldap/blob/master/Dockerfile> Docker OpenLDAP Container w/TLS & Replication Support S6 Overlay, and Zabbi= x Monitoring based on Alpine - tiredofit/docker-openldap github.com [https://avatars0.githubusercontent.com/u/23528985?s=3D400&v=3D4]<https://g= ithub.com/tiredofit/docker-openldap/blob/master/Dockerfile> docker-openldap/Dockerfile at master =B7 tiredofit/docker-openldap =B7 GitH= ub<https://github.com/tiredofit/docker-openldap/blob/master/Dockerfile> Docker OpenLDAP Container w/TLS & Replication Support S6 Overlay, and Zabbi= x Monitoring based on Alpine - tiredofit/docker-openldap github.com ________________________________ From: Quanah Gibson-Mount <quanah(a)symas.com> Sent: Wednesday, April 24, 2019 1:06 PM To: siddjain(a)live.com; openldap-its(a)OpenLDAP.org Subject: Re: (ITS#9014) OpenLDAP modifies user provided TLS certificate bef= ore sending it to client --On Wednesday, April 24, 2019 6:43 PM +0000 hyc(a)symas.com wrote: > siddjain(a)live.com wrote: >> --_000_MWHPR08MB24000D77048AFCF7465C4397B53C0MWHPR08MB2400namp_ >> Content-Type: text/plain; charset=3D"iso-8859-1" >> Content-Transfer-Encoding: quoted-printable >> >> could you send me output of running >> >> openssl version -a >> >> on your system? thanks > >> openssl version -a > OpenSSL 1.1.1 11 Sep 2018 > built on: Tue Dec 4 13:15:09 2018 UTC > platform: debian-amd64 I would also note that not all OpenLDAP builds use OpenSSL. For example, OpenLDAP built on Debian/Ubuntu uses GnuTLS. OpenLDAP built on some versions of RedHat 7 use MozNSS. Current RedHat 7 builds use OpenSSL but have an odd MozNSS bridge for backwards compatibilty, and there may be all sorts of odd bugs in that. Apple links OpenLDAP to its own custom SSL libary. So really your first step should be isolating what TLS/SSL library OpenLDAP is linked to in the environment you're using. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <https://eur01.safelinks.protection.outlook.com/?url=3Dhttp%3A%2F%2Fwww.sym= as.com&data=3D02%7C01%7C%7C349b90be6afe4991a54b08d6c8f068b4%7C84df9e7fe= 9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636917332202918260&sdata=3DNifWEVt269= tCTuar98XYUfNkaHWSFMffI3M4%2FJ7j8zI%3D&reserved=3D0> --_000_MWHPR08MB2400D7AE5E8EEC3D17192FACB53C0MWHPR08MB2400namp_ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <html> <head> <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Diso-8859-= 1"> <style type=3D"text/css" style=3D"display:none;"> P {margin-top:0;margin-bo= ttom:0;} </style> </head> <body dir=3D"ltr"> <div style=3D"font-family: Calibri, Helvetica, sans-serif; font-size: 12pt;= color: rgb(0, 0, 0);"> Thank you. we tried using another openldap image and that worked. so it see= ms the problem is with the osixia docker image we were using to run openlda= p. it is based on debian (which <span style=3D"color: rgb(51, 51, 51);= font-family: "Segoe UI", "Segoe UI Web (West European)&quot= ;, "Segoe UI", -apple-system, system-ui, Roboto, "Helvetica = Neue", sans-serif; font-size: 14.6667px; background-color: rgb(255, 25= 5, 255); display: inline !important">uses GnuTLS per your email</span>) so tbh we are surprised it would have such a= bug in it. the image that worked for us is based on alpine. </div> <div style=3D"font-family: Calibri, Helvetica, sans-serif; font-size: 12pt;= color: rgb(0, 0, 0);"> <a href=3D"https://github.com/osixia/docker-light-baseimage/blob/stable/ima= ge/Dockerfile">https://github.com/osixia/docker-light-baseimage/blob/stable= /image/Dockerfile</a><br> </div> <div> <div id=3D"appendonsend"></div> <div style=3D"font-family:Calibri,Helvetica,sans-serif; font-size:12pt; col= or:rgb(0,0,0)"> <a href=3D"https://github.com/tiredofit/docker-openldap/blob/master/Dockerf= ile" id=3D"LPlnk147820">https://github.com/tiredofit/docker-openldap/blob/m= aster/Dockerfile</a></div> <div style=3D"font-family:Calibri,Helvetica,sans-serif; font-size:12pt; col= or:rgb(0,0,0)"> but back to your comment, how can one <span style=3D"color: rgb(51, 51= , 51); font-family: "Segoe UI", "Segoe UI Web (West European= )", "Segoe UI", -apple-system, system-ui, Roboto, "Helv= etica Neue", sans-serif; font-size: 14.6667px; background-color: rgb(2= 55, 255, 255); display: inline !important">isolate what TLS/SSL library OpenLDAP<span> </span></span><span style=3D"colo= r: rgb(51, 51, 51); font-family: "Segoe UI", "Segoe UI Web (= West European)", "Segoe UI", -apple-system, system-ui, Robot= o, "Helvetica Neue", sans-serif; font-size: 14.6667px; background= -color: rgb(255, 255, 255); display: inline !important">is linked to in the environment you're using? </span><br style=3D"color:= rgb(51, 51, 51); font-family: "Segoe UI", "Segoe UI Web (We= st European)", "Segoe UI", -apple-system, system-ui, Roboto,= "Helvetica Neue", sans-serif; font-size: 14.6667px; background-c= olor: rgb(255, 255, 255)"> <br> <div id=3D"LPBorder_GTaHR0cHM6Ly9naXRodWIuY29tL3RpcmVkb2ZpdC9kb2NrZXItb3Blb= mxkYXAvYmxvYi9tYXN0ZXIvRG9ja2VyZmlsZQ.." class=3D"LPBorder213343" contented= itable=3D"false" style=3D"width: 100%; margin-top: 16px; margin-bottom: 16p= x; position: relative; max-width: 800px; min-width: 424px;"> <table id=3D"LPContainer213343" role=3D"presentation" style=3D"padding: 12p= x 36px 12px 12px; width: 100%; border-width: 1px; border-style: solid; bord= er-color: rgb(200, 200, 200); border-radius: 2px;"> <tbody> <tr valign=3D"top" style=3D"border-spacing: 0px;"> <td> <div id=3D"LPImageContainer213343" style=3D"position: relative; margin-righ= t: 12px; height: 160px; overflow: hidden;"> <a target=3D"_blank" id=3D"LPImageAnchor213343" href=3D"https://github.com/= tiredofit/docker-openldap/blob/master/Dockerfile"><img id=3D"LPThumbnailIma= geId213343" alt=3D"" height=3D"160" style=3D"display: block;" width=3D"160"= src=3D"https://avatars0.githubusercontent.com/u/23528985?s=3D400&v=3D4= "></a></div> </td> <td style=3D"width: 100%;"> <div id=3D"LPTitle213343" style=3D"font-size: 21px; font-weight: 300; margi= n-right: 8px; font-family: wf_segoe-ui_light, "Segoe UI Light", &= quot;Segoe WP Light", "Segoe UI", "Segoe WP", Taho= ma, Arial, sans-serif; margin-bottom: 12px;"> <a target=3D"_blank" id=3D"LPUrlAnchor213343" href=3D"https://github.com/ti= redofit/docker-openldap/blob/master/Dockerfile" style=3D"text-decoration: n= one; color: var(--themePrimary);">docker-openldap/Dockerfile at master =B7 = tiredofit/docker-openldap =B7 GitHub</a></div> <div id=3D"LPDescription213343" style=3D"font-size: 14px; max-height: 100px= ; color: rgb(102, 102, 102); font-family: wf_segoe-ui_normal, "Segoe U= I", "Segoe WP", Tahoma, Arial, sans-serif; margin-bottom: 12= px; margin-right: 8px; overflow: hidden;"> Docker OpenLDAP Container w/TLS & Replication Support S6 Overlay, and Z= abbix Monitoring based on Alpine - tiredofit/docker-openldap</div> <div id=3D"LPMetadata213343" style=3D"font-size: 14px; font-weight: 400; co= lor: rgb(166, 166, 166); font-family: wf_segoe-ui_normal, "Segoe UI&qu= ot;, "Segoe WP", Tahoma, Arial, sans-serif;"> github.com</div> </td> </tr> </tbody> </table> </div> <br> <div id=3D"LPBorder_GTaHR0cHM6Ly9naXRodWIuY29tL3RpcmVkb2ZpdC9kb2NrZXItb3Blb= mxkYXAvYmxvYi9tYXN0ZXIvRG9ja2VyZmlsZQ.." class=3D"LPBorder356508" contented= itable=3D"false" style=3D"width: 100%; margin-top: 16px; margin-bottom: 16p= x; position: relative; max-width: 800px; min-width: 424px;"> <table id=3D"LPContainer356508" role=3D"presentation" style=3D"padding: 12p= x 36px 12px 12px; width: 100%; border-width: 1px; border-style: solid; bord= er-color: rgb(200, 200, 200); border-radius: 2px;"> <tbody> <tr valign=3D"top" style=3D"border-spacing: 0px;"> <td> <div id=3D"LPImageContainer356508" style=3D"position: relative; margin-righ= t: 12px; height: 160px; overflow: hidden;"> <a target=3D"_blank" id=3D"LPImageAnchor356508" href=3D"https://github.com/= tiredofit/docker-openldap/blob/master/Dockerfile"><img id=3D"LPThumbnailIma= geId356508" alt=3D"" height=3D"160" style=3D"display: block;" width=3D"160"= src=3D"https://avatars0.githubusercontent.com/u/23528985?s=3D400&v=3D4= "></a></div> </td> <td style=3D"width: 100%;"> <div id=3D"LPTitle356508" style=3D"font-size: 21px; font-weight: 300; margi= n-right: 8px; font-family: wf_segoe-ui_light, "Segoe UI Light", &= quot;Segoe WP Light", "Segoe UI", "Segoe WP", Taho= ma, Arial, sans-serif; margin-bottom: 12px;"> <a target=3D"_blank" id=3D"LPUrlAnchor356508" href=3D"https://github.com/ti= redofit/docker-openldap/blob/master/Dockerfile" style=3D"text-decoration: n= one; color: var(--themePrimary);">docker-openldap/Dockerfile at master =B7 = tiredofit/docker-openldap =B7 GitHub</a></div> <div id=3D"LPDescription356508" style=3D"font-size: 14px; max-height: 100px= ; color: rgb(102, 102, 102); font-family: wf_segoe-ui_normal, "Segoe U= I", "Segoe WP", Tahoma, Arial, sans-serif; margin-bottom: 12= px; margin-right: 8px; overflow: hidden;"> Docker OpenLDAP Container w/TLS & Replication Support S6 Overlay, and Z= abbix Monitoring based on Alpine - tiredofit/docker-openldap</div> <div id=3D"LPMetadata356508" style=3D"font-size: 14px; font-weight: 400; co= lor: rgb(166, 166, 166); font-family: wf_segoe-ui_normal, "Segoe UI&qu= ot;, "Segoe WP", Tahoma, Arial, sans-serif;"> github.com</div> </td> </tr> </tbody> </table> </div> <br> </div> <hr tabindex=3D"-1" style=3D"display:inline-block; width:98%"> <div id=3D"divRplyFwdMsg" dir=3D"ltr"><font face=3D"Calibri, sans-serif" co= lor=3D"#000000" style=3D"font-size:11pt"><b>From:</b> Quanah Gibson-Mount &= lt;quanah(a)symas.com><br> <b>Sent:</b> Wednesday, April 24, 2019 1:06 PM<br> <b>To:</b> siddjain(a)live.com; openldap-its(a)OpenLDAP.org<br> <b>Subject:</b> Re: (ITS#9014) OpenLDAP modifies user provided TLS certific= ate before sending it to client</font> <div> </div> </div> <div class=3D"BodyFragment"><font size=3D"2"><span style=3D"font-size:11pt"= > <div class=3D"PlainText">--On Wednesday, April 24, 2019 6:43 PM +0000 h= yc(a)symas.com wrote:<br> <br> > siddjain(a)live.com wrote:<br> >> --_000_MWHPR08MB24000D77048AFCF7465C4397B53C0MWHPR08MB2400namp_<br= > >> Content-Type: text/plain; charset=3D"iso-8859-1"<br> >> Content-Transfer-Encoding: quoted-printable<br> >><br> >> could you send me output of running<br> >><br> >> openssl version -a<br> >><br> >> on your system? thanks<br> ><br> >> openssl version -a<br> > OpenSSL 1.1.1  11 Sep 2018<br> > built on: Tue Dec  4 13:15:09 2018 UTC<br> > platform: debian-amd64<br> <br> I would also note that not all OpenLDAP builds use OpenSSL.  For examp= le, <br> OpenLDAP built on Debian/Ubuntu uses GnuTLS.  OpenLDAP built on some <= br> versions of RedHat 7 use MozNSS.  Current RedHat 7 builds use OpenSSL = but <br> have an odd MozNSS bridge for backwards compatibilty, and there may be all = <br> sorts of odd bugs in that.  Apple links OpenLDAP to its own custom SSL= <br> libary.<br> <br> So really your first step should be isolating what TLS/SSL library OpenLDAP= <br> is linked to in the environment you're using.<br> <br> --Quanah<br> <br> <br> <br> --<br> <br> Quanah Gibson-Mount<br> Product Architect<br> Symas Corporation<br> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:<br> <<a href=3D"https://eur01.safelinks.protection.outlook.com/?url=3Dhttp%3= A%2F%2Fwww.symas.com&amp;data=3D02%7C01%7C%7C349b90be6afe4991a54b08d6c8= f068b4%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636917332202918260&= amp;sdata=3DNifWEVt269tCTuar98XYUfNkaHWSFMffI3M4%2FJ7j8zI%3D&amp;reserv= ed=3D0">https://eur01.safelinks.protection.outlook.com/?url=3Dhttp%3A%2F%2F= www.symas.com&amp;data=3D02%7C01%7C%7C349b90be6afe4991a54b08d6c8f068b4%= 7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636917332202918260&amp;sda= ta=3DNifWEVt269tCTuar98XYUfNkaHWSFMffI3M4%2FJ7j8zI%3D&amp;reserved=3D0<= /a>><br> <br> </div> </span></font></div> </div> </body> </html> --_000_MWHPR08MB2400D7AE5E8EEC3D17192FACB53C0MWHPR08MB2400namp_--

1 0

Re: (ITS#9014) OpenLDAP modifies user provided TLS certificate before sending it to client
by quanah＠symas.com 24 Apr '19

24 Apr '19

--On Wednesday, April 24, 2019 6:43 PM +0000 hyc(a)symas.com wrote: > siddjain(a)live.com wrote: >> --_000_MWHPR08MB24000D77048AFCF7465C4397B53C0MWHPR08MB2400namp_ >> Content-Type: text/plain; charset="iso-8859-1" >> Content-Transfer-Encoding: quoted-printable >> >> could you send me output of running >> >> openssl version -a >> >> on your system? thanks > >> openssl version -a > OpenSSL 1.1.1 11 Sep 2018 > built on: Tue Dec 4 13:15:09 2018 UTC > platform: debian-amd64 I would also note that not all OpenLDAP builds use OpenSSL. For example, OpenLDAP built on Debian/Ubuntu uses GnuTLS. OpenLDAP built on some versions of RedHat 7 use MozNSS. Current RedHat 7 builds use OpenSSL but have an odd MozNSS bridge for backwards compatibilty, and there may be all sorts of odd bugs in that. Apple links OpenLDAP to its own custom SSL libary. So really your first step should be isolating what TLS/SSL library OpenLDAP is linked to in the environment you're using. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Re: (ITS#9014) OpenLDAP modifies user provided TLS certificate before sending it to client
by hyc＠symas.com 24 Apr '19

24 Apr '19

siddjain(a)live.com wrote: > --_000_MWHPR08MB24000D77048AFCF7465C4397B53C0MWHPR08MB2400namp_ > Content-Type: text/plain; charset="iso-8859-1" > Content-Transfer-Encoding: quoted-printable > > could you send me output of running > > openssl version -a > > on your system? thanks > openssl version -a OpenSSL 1.1.1 11 Sep 2018 built on: Tue Dec 4 13:15:09 2018 UTC platform: debian-amd64 options: bn(64,64) rc4(8x,int) des(int) blowfish(ptr) compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -Wa,--noexecstack -g -O2 -fdebug-prefix-map=/build/openssl-DovhWu/openssl-1.1.1=. -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2 OPENSSLDIR: "/usr/lib/ssl" ENGINESDIR: "/usr/lib/x86_64-linux-gnu/engines-1.1" Seeding source: os-specific > > ________________________________ > From: Howard Chu <hyc(a)symas.com> > Sent: Wednesday, April 24, 2019 10:04 AM > To: Siddharth Jain; openldap-its(a)OpenLDAP.org > Subject: Re: (ITS#9014) OpenLDAP modifies user provided TLS certificate bef= > ore sending it to client > > Siddharth Jain wrote: >> Wow! Thanks for responding so fast. This could be a bug in docker-openlda= > p then. we have repro'ed this in two different environments - mac and ubunt= > u. Do you >> have a recommendation for docker image for openldap? > > As I said before, OpenLDAP doesn't touch the certificate files, it merely t= > ells the TLS > library where they are. You must likely have a broken TLS library. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#9014) OpenLDAP modifies user provided TLS certificate before sending it to client
by siddjain＠live.com 24 Apr '19

24 Apr '19

--_000_MWHPR08MB24000D77048AFCF7465C4397B53C0MWHPR08MB2400namp_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable could you send me output of running openssl version -a on your system? thanks ________________________________ From: Howard Chu <hyc(a)symas.com> Sent: Wednesday, April 24, 2019 10:04 AM To: Siddharth Jain; openldap-its(a)OpenLDAP.org Subject: Re: (ITS#9014) OpenLDAP modifies user provided TLS certificate bef= ore sending it to client Siddharth Jain wrote: > Wow! Thanks for responding so fast. This could be a bug in docker-openlda= p then. we have repro'ed this in two different environments - mac and ubunt= u. Do you > have a recommendation for docker image for openldap? As I said before, OpenLDAP doesn't touch the certificate files, it merely t= ells the TLS library where they are. You must likely have a broken TLS library. -------------------------------------------------------------------------= ---------------------------------------------------------------------------= ------------ > *From:* Howard Chu <hyc(a)symas.com> > *Sent:* Wednesday, April 24, 2019 9:42 AM > *To:* Siddharth Jain; openldap-its(a)OpenLDAP.org > *Subject:* Re: (ITS#9014) OpenLDAP modifies user provided TLS certificate= before sending it to client > > Siddharth Jain wrote: >> we have documented complete steps to repro the bug here <https://nam01.s= afelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fgithub.com%2Fsiddjain%= 2Fopenldap-bug&data=3D02%7C01%7C%7Cdeffc420629649af454408d6c8d6f129%7C8= 4df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636917222820865922&sdata=3Dsx= jXXBtCMOjbK5AZCpLTObP%2BIlJRAxXUK7LpLzUDD%2FM%3D&reserved=3D0> with > container logs. > > I see no error here. > > Using your cert/key files: > There is no OpenLDAP bug here. Your server environment is broken. -- -- Howard Chu CTO, Symas Corp. https://nam01.safelinks.protection.outlook.com= /?url=3Dhttp%3A%2F%2Fwww.symas.com&data=3D02%7C01%7C%7Cdeffc420629649af= 454408d6c8d6f129%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C6369172228208= 65922&sdata=3DX5JT6j5%2BQ2BAsKGfNslnC%2FkQj%2BcSU4GAdTqmqqc3lWo%3D&= reserved=3D0 Director, Highland Sun https://nam01.safelinks.protection.outlook.com= /?url=3Dhttp%3A%2F%2Fhighlandsun.com%2Fhyc%2F&data=3D02%7C01%7C%7Cdeffc= 420629649af454408d6c8d6f129%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C63= 6917222820865922&sdata=3DSHju26Gxu5dToV%2BuCYDxBMZQS5qJZvREcg9q0CEg2bo%= 3D&reserved=3D0 Chief Architect, OpenLDAP https://nam01.safelinks.protection.outlook.com= /?url=3Dhttp%3A%2F%2Fwww.openldap.org%2Fproject%2F&data=3D02%7C01%7C%7C= deffc420629649af454408d6c8d6f129%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0= %7C636917222820865922&sdata=3DfJ7LIrWHv%2FG4CJGrx%2BClsFoldJfri%2Bdk7WN= 59Bt45jU%3D&reserved=3D0 --_000_MWHPR08MB24000D77048AFCF7465C4397B53C0MWHPR08MB2400namp_ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <html> <head> <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Diso-8859-= 1"> <style type=3D"text/css" style=3D"display:none;"> P {margin-top:0;margin-bo= ttom:0;} </style> </head> <body dir=3D"ltr"> <div style=3D"font-family: Calibri, Helvetica, sans-serif; font-size: 12pt;= color: rgb(0, 0, 0);"> could you send me output of running  <p style=3D"margin: 0px; font: 11px Menlo; background-color: rgb(255, 255, = 255); margin: 0px; background-color: rgb(255, 255, 255)"> <span style=3D"font-variant-ligatures: no-common-ligatures; font-variant-li= gatures: no-common-ligatures">openssl version -a</span></p> <p style=3D"margin: 0px; font: 11px Menlo; background-color: rgb(255, 255, = 255); margin: 0px; background-color: rgb(255, 255, 255)"> <span style=3D"font-variant-ligatures: no-common-ligatures; font-variant-li= gatures: no-common-ligatures">on your system? thanks</span></p> </div> <div> <div id=3D"appendonsend"></div> <div style=3D"font-family:Calibri,Helvetica,sans-serif; font-size:12pt; col= or:rgb(0,0,0)"> <br> </div> <hr tabindex=3D"-1" style=3D"display:inline-block; width:98%"> <div id=3D"divRplyFwdMsg" dir=3D"ltr"><font face=3D"Calibri, sans-serif" co= lor=3D"#000000" style=3D"font-size:11pt"><b>From:</b> Howard Chu <hyc@sy= mas.com><br> <b>Sent:</b> Wednesday, April 24, 2019 10:04 AM<br> <b>To:</b> Siddharth Jain; openldap-its(a)OpenLDAP.org<br> <b>Subject:</b> Re: (ITS#9014) OpenLDAP modifies user provided TLS certific= ate before sending it to client</font> <div> </div> </div> <div class=3D"BodyFragment"><font size=3D"2"><span style=3D"font-size:11pt"= > <div class=3D"PlainText">Siddharth Jain wrote:<br> > Wow! Thanks for responding so fast. This could be a bug in docker-open= ldap then. we have repro'ed this in two different environments - mac and ub= untu. Do you<br> > have a recommendation for docker image for openldap?<br> <br> As I said before, OpenLDAP doesn't touch the certificate files, it merely t= ells the TLS<br> library where they are. You must likely have a broken TLS library.<br>   --------------------------------------------------------------------= ---------------------------------------------------------------------------= -----------------<br> > *From:* Howard Chu <hyc(a)symas.com><br> > *Sent:* Wednesday, April 24, 2019 9:42 AM<br> > *To:* Siddharth Jain; openldap-its(a)OpenLDAP.org<br> > *Subject:* Re: (ITS#9014) OpenLDAP modifies user provided TLS certific= ate before sending it to client<br> >  <br> > Siddharth Jain wrote:<br> >> we have documented complete steps to repro the bug here <<= a href=3D"https://nam01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F= %2Fgithub.com%2Fsiddjain%2Fopenldap-bug&amp;data=3D02%7C01%7C%7Cdeffc42= 0629649af454408d6c8d6f129%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C6369= 17222820865922&amp;sdata=3DsxjXXBtCMOjbK5AZCpLTObP%2BIlJRAxXUK7LpLzUDD%= 2FM%3D&amp;reserved=3D0">https://nam01.safelinks.protection.outlook.com= /?url=3Dhttps%3A%2F%2Fgithub.com%2Fsiddjain%2Fopenldap-bug&amp;data=3D0= 2%7C01%7C%7Cdeffc420629649af454408d6c8d6f129%7C84df9e7fe9f640afb435aaaaaaaa= aaaa%7C1%7C0%7C636917222820865922&amp;sdata=3DsxjXXBtCMOjbK5AZCpLTObP%2= BIlJRAxXUK7LpLzUDD%2FM%3D&amp;reserved=3D0</a>> with<br> > container logs.<br> > <br> > I see no error here.<br> > <br> > Using your cert/key files:<br> <br> > There is no OpenLDAP bug here. Your server environment is broken.<br> <br> <br> -- <br>   -- Howard Chu<br>   CTO, Symas Corp.        &nbs= p;  <a href=3D"https://nam01.safelinks.protection.outlook.com/?url=3Dh= ttp%3A%2F%2Fwww.symas.com&amp;data=3D02%7C01%7C%7Cdeffc420629649af45440= 8d6c8d6f129%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636917222820865922= &amp;sdata=3DX5JT6j5%2BQ2BAsKGfNslnC%2FkQj%2BcSU4GAdTqmqqc3lWo%3D&a= mp;reserved=3D0"> https://nam01.safelinks.protection.outlook.com/?url=3Dhttp%3A%2F%2Fwww.syma= s.com&amp;data=3D02%7C01%7C%7Cdeffc420629649af454408d6c8d6f129%7C84df9e= 7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636917222820865922&amp;sdata=3DX5J= T6j5%2BQ2BAsKGfNslnC%2FkQj%2BcSU4GAdTqmqqc3lWo%3D&amp;reserved=3D0</a><= br>   Director, Highland Sun     <a href=3D"https://na= m01.safelinks.protection.outlook.com/?url=3Dhttp%3A%2F%2Fhighlandsun.com%2F= hyc%2F&amp;data=3D02%7C01%7C%7Cdeffc420629649af454408d6c8d6f129%7C84df9= e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636917222820865922&amp;sdata=3DSH= ju26Gxu5dToV%2BuCYDxBMZQS5qJZvREcg9q0CEg2bo%3D&amp;reserved=3D0"> https://nam01.safelinks.protection.outlook.com/?url=3Dhttp%3A%2F%2Fhighland= sun.com%2Fhyc%2F&amp;data=3D02%7C01%7C%7Cdeffc420629649af454408d6c8d6f1= 29%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636917222820865922&amp;= sdata=3DSHju26Gxu5dToV%2BuCYDxBMZQS5qJZvREcg9q0CEg2bo%3D&amp;reserved= =3D0</a><br>   Chief Architect, OpenLDAP  <a href=3D"https://nam01.safelinks.p= rotection.outlook.com/?url=3Dhttp%3A%2F%2Fwww.openldap.org%2Fproject%2F&amp= ;amp;data=3D02%7C01%7C%7Cdeffc420629649af454408d6c8d6f129%7C84df9e7fe9f640a= fb435aaaaaaaaaaaa%7C1%7C0%7C636917222820865922&amp;sdata=3DfJ7LIrWHv%2F= G4CJGrx%2BClsFoldJfri%2Bdk7WN59Bt45jU%3D&amp;reserved=3D0"> https://nam01.safelinks.protection.outlook.com/?url=3Dhttp%3A%2F%2Fwww.open= ldap.org%2Fproject%2F&amp;data=3D02%7C01%7C%7Cdeffc420629649af454408d6c= 8d6f129%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636917222820865922&amp= ;amp;sdata=3DfJ7LIrWHv%2FG4CJGrx%2BClsFoldJfri%2Bdk7WN59Bt45jU%3D&amp;r= eserved=3D0</a><br> </div> </span></font></div> </div> </body> </html> --_000_MWHPR08MB24000D77048AFCF7465C4397B53C0MWHPR08MB2400namp_--

1 0

Re: (ITS#9014) OpenLDAP modifies user provided TLS certificate before sending it to client
by hyc＠symas.com 24 Apr '19

24 Apr '19

Siddharth Jain wrote: > Wow! Thanks for responding so fast. This could be a bug in docker-openl= dap then. we have repro'ed this in two different environments - mac and u= buntu. Do you > have a recommendation for docker image for openldap? As I said before, OpenLDAP doesn't touch the certificate files, it merely= tells the TLS library where they are. You must likely have a broken TLS library. -----------------------------------------------------------------------= -------------------------------------------------------------------------= ---------------- > *From:* Howard Chu <hyc(a)symas.com> > *Sent:* Wednesday, April 24, 2019 9:42 AM > *To:* Siddharth Jain; openldap-its(a)OpenLDAP.org > *Subject:* Re: (ITS#9014) OpenLDAP modifies user provided TLS certifica= te before sending it to client > =A0 > Siddharth Jain wrote: >> we have documented complete steps to repro the bug=A0here <https://eur= 04.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fgithub.com%2Fsid= djain%2Fopenldap-bug&data=3D02%7C01%7C%7Caca4f78e53324b52690008d6c8d3= cc09%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636917209315407238&= sdata=3D8VfRtnCNPd%2BFo2Sps%2BLftBG3XcC57ReIFFphK6noyLc%3D&reserved=3D= 0>=A0with > container logs. >=20 > I see no error here. >=20 > Using your cert/key files: > There is no OpenLDAP bug here. Your server environment is broken. --=20 -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#9014) OpenLDAP modifies user provided TLS certificate before sending it to client
by siddjain＠live.com 24 Apr '19

24 Apr '19

--_000_MWHPR08MB2400F5334463D5A204E8CF88B53C0MWHPR08MB2400namp_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Wow! Thanks for responding so fast. This could be a bug in docker-openldap = then. we have repro'ed this in two different environments - mac and ubuntu.= Do you have a recommendation for docker image for openldap? ________________________________ From: Howard Chu <hyc(a)symas.com> Sent: Wednesday, April 24, 2019 9:42 AM To: Siddharth Jain; openldap-its(a)OpenLDAP.org Subject: Re: (ITS#9014) OpenLDAP modifies user provided TLS certificate bef= ore sending it to client Siddharth Jain wrote: > we have documented complete steps to repro the bug here <https://eur04.sa= felinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fgithub.com%2Fsiddjain%2= Fopenldap-bug&data=3D02%7C01%7C%7Caca4f78e53324b52690008d6c8d3cc09%7C84= df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636917209315407238&sdata=3D8Vf= RtnCNPd%2BFo2Sps%2BLftBG3XcC57ReIFFphK6noyLc%3D&reserved=3D0> with cont= ainer logs. I see no error here. Using your cert/key files: > ls -l /tmp/jnj total 12 -rw-r--r-- 1 hyc hyc 1592 Apr 24 17:34 jnj-ca-chain.pem -rw-r--r-- 1 hyc hyc 241 Apr 24 17:34 jnj-ldap-server-tls.key -rw-r--r-- 1 hyc hyc 1111 Apr 24 17:34 jnj-ldap-server-tls.pem ### With this slapd config vielle:~/OD/hobj/tests> cat testrun/slapd.1.conf include ./schema/core.schema include ./schema/cosine.schema include ./schema/inetorgperson.schema include ./schema/openldap.schema include ./schema/nis.schema include ./testdata/test.schema pidfile /home/hyc/OD/hobj/tests/testrun/slapd.1.pid argsfile /home/hyc/OD/hobj/tests/testrun/slapd.1.args sockbuf_max_incoming 4194303 TLSCAcertificatefile /tmp/jnj/jnj-ca-chain.pem TLSCertificateFile /tmp/jnj/jnj-ldap-server-tls.pem TLSCertificateKeyFile /tmp/jnj/jnj-ldap-server-tls.key database mdb suffix "dc=3Dexample,dc=3Dcom" rootdn "cn=3DManager,dc=3Dexample,dc=3Dcom" rootpw secret directory /home/hyc/OD/hobj/tests/testrun/db.1.a index objectClass eq index cn,sn,uid pres,eq,sub maxsize 33554432 database monitor ### And this slapd invocation from the OpenLDAP build tree vielle:~/OD/hobj/tests> ../servers/slapd/slapd -f testrun/slapd.1.conf -h l= daps://:9011 -s0 -d7 I get no verification error: > openssl s_client -connect localhost:9011 -state -nbio -CAfile jnj-ca-chai= n.pem -showcerts CONNECTED(00000005) Turned on non blocking io SSL_connect:before SSL initialization SSL_connect:SSLv3/TLS write client hello SSL_connect:error in SSLv3/TLS write client hello write R BLOCK SSL_connect:SSLv3/TLS write client hello SSL_connect:SSLv3/TLS read server hello SSL_connect:TLSv1.3 read encrypted extensions depth=3D2 C =3D US, ST =3D WA, L =3D Bellevue, O =3D Johnson & Johnson, CN = =3D rca-jnj verify return:1 depth=3D1 C =3D US, ST =3D WA, L =3D Bellevue, O =3D Johnson & Johnson, OU = =3D client + OU =3D jnj, CN =3D rca-jnj-admin verify return:1 depth=3D0 C =3D US, ST =3D WA, L =3D Bellevue, O =3D Johnson & Johnson, OU = =3D client + OU =3D jnj, CN =3D jnj-ldap-server verify return:1 SSL_connect:SSLv3/TLS read server certificate SSL_connect:TLSv1.3 read server certificate verify SSL_connect:SSLv3/TLS read finished SSL_connect:SSLv3/TLS write change cipher spec SSL_connect:SSLv3/TLS write finished read R BLOCK --- Certificate chain 0 s:C =3D US, ST =3D WA, L =3D Bellevue, O =3D Johnson & Johnson, OU =3D c= lient + OU =3D jnj, CN =3D jnj-ldap-server i:C =3D US, ST =3D WA, L =3D Bellevue, O =3D Johnson & Johnson, OU =3D c= lient + OU =3D jnj, CN =3D rca-jnj-admin -----BEGIN CERTIFICATE----- MIIDBzCCAq2gAwIBAgIUcxrGrCSwJwlQhBEuKztfLgRrtygwCgYIKoZIzj0EAwIw fjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMREwDwYDVQQHEwhCZWxsZXZ1ZTEa MBgGA1UECgwRSm9obnNvbiAmIEpvaG5zb24xGzANBgNVBAsTBmNsaWVudDAKBgNV BAsTA2puajEWMBQGA1UEAxMNcmNhLWpuai1hZG1pbjAeFw0xOTA0MjIxNzE0MDBa Fw0yMDA0MjExNzE5MDBaMIGAMQswCQYDVQQGEwJVUzELMAkGA1UECBMCV0ExETAP BgNVBAcTCEJlbGxldnVlMRowGAYDVQQKDBFKb2huc29uICYgSm9obnNvbjEbMA0G A1UECxMGY2xpZW50MAoGA1UECxMDam5qMRgwFgYDVQQDEw9qbmotbGRhcC1zZXJ2 ZXIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARutu4G452HY8vYKJLw9VXmIuz+ X1XNNwyI6q7KzzwNmTwzWyHIVzxjqNTsTRqY0L0lLI1cko2LsIACqnJTed7yo4IB BDCCAQAwDgYDVR0PAQH/BAQDAgOoMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF BQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTPS+Zc8+ZDmpVS9XerpVD1gYL7 cjAfBgNVHSMEGDAWgBTbr7PEPX6ZIN6APotjhLkd6hPeqDAaBgNVHREEEzARgg9q bmotbGRhcC1zZXJ2ZXIwZQYIKgMEBQYHCAEEWXsiYXR0cnMiOnsiaGYuQWZmaWxp YXRpb24iOiJqbmoiLCJoZi5FbnJvbGxtZW50SUQiOiJqbmotbGRhcC1zZXJ2ZXIi LCJoZi5UeXBlIjoiY2xpZW50In19MAoGCCqGSM49BAMCA0gAMEUCIQDBbbexORUa nrBJG8iSkADdOIW/ZOK7kbpLJ4x6GdTO8gIgfzOqW/9ZJKFM3PBls6bEVacoRLX9 AklAHxajASZK+UU=3D -----END CERTIFICATE----- 1 s:C =3D US, ST =3D WA, L =3D Bellevue, O =3D Johnson & Johnson, OU =3D c= lient + OU =3D jnj, CN =3D rca-jnj-admin i:C =3D US, ST =3D WA, L =3D Bellevue, O =3D Johnson & Johnson, CN =3D r= ca-jnj -----BEGIN CERTIFICATE----- MIICQTCCAeegAwIBAgIUBU9O3Wb3BDS8YuWRLYaKClbA9ZcwCgYIKoZIzj0EAwIw WzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMREwDwYDVQQHEwhCZWxsZXZ1ZTEa MBgGA1UECgwRSm9obnNvbiAmIEpvaG5zb24xEDAOBgNVBAMTB3JjYS1qbmowHhcN MTkwMjAxMjMxOTAwWhcNMjQwMTMxMjMyNDAwWjB+MQswCQYDVQQGEwJVUzELMAkG A1UECBMCV0ExETAPBgNVBAcTCEJlbGxldnVlMRowGAYDVQQKDBFKb2huc29uICYg Sm9obnNvbjEbMA0GA1UECxMGY2xpZW50MAoGA1UECxMDam5qMRYwFAYDVQQDEw1y Y2Etam5qLWFkbWluMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEk4b8f5mWq+jf iMKQBVI8uU7btAF/LSSdXoOXYPW8JyJ23v5wtwRiQ/g4Al/6aIchvAC4QhJRUnz0 DMKuI7GCp6NmMGQwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAw HQYDVR0OBBYEFNuvs8Q9fpkg3oA+i2OEuR3qE96oMB8GA1UdIwQYMBaAFBGV3Han Nf1T5i8fvDh239lt5W9DMAoGCCqGSM49BAMCA0gAMEUCIQD/4+AUOMBdofQEVsH2 2A6UGiJQvuplLEBA9in0cZTcCQIgcV5K+KCs3a5RNYUWdllakGx8c1f6ISrmk4an gjeXphQ=3D -----END CERTIFICATE----- 2 s:C =3D US, ST =3D WA, L =3D Bellevue, O =3D Johnson & Johnson, CN =3D r= ca-jnj i:C =3D US, ST =3D WA, L =3D Bellevue, O =3D Johnson & Johnson, CN =3D r= ca-jnj -----BEGIN CERTIFICATE----- MIIB/TCCAaOgAwIBAgIUSsxdq02aJCyaIHkIRxRdKvWYG9swCgYIKoZIzj0EAwIw WzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMREwDwYDVQQHEwhCZWxsZXZ1ZTEa MBgGA1UECgwRSm9obnNvbiAmIEpvaG5zb24xEDAOBgNVBAMTB3JjYS1qbmowHhcN MTkwMjAxMjExNDAwWhcNMzQwMTI4MjExNDAwWjBbMQswCQYDVQQGEwJVUzELMAkG A1UECBMCV0ExETAPBgNVBAcTCEJlbGxldnVlMRowGAYDVQQKDBFKb2huc29uICYg Sm9obnNvbjEQMA4GA1UEAxMHcmNhLWpuajBZMBMGByqGSM49AgEGCCqGSM49AwEH A0IABCF30Cn+O5sD/9n6d3IQQEGiceCTD7gG/5t4dHR4xmvm84HNgRngGKGF4fny 6BXkPSyDguP+L5zozdWDb8dWTQejRTBDMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMB Af8ECDAGAQH/AgEBMB0GA1UdDgQWBBQRldx2pzX9U+YvH7w4dt/ZbeVvQzAKBggq hkjOPQQDAgNIADBFAiEAkCQcOP+PmyVIMgr/cUsk04qH8lXYO4DqDuH1WSNvGfEC IBZQGRehpZ604FgkD0YqmiGRV/OzU99em0g3jkmWJbJY -----END CERTIFICATE----- --- Server certificate subject=3DC =3D US, ST =3D WA, L =3D Bellevue, O =3D Johnson & Johnson, OU = =3D client + OU =3D jnj, CN =3D jnj-ldap-server issuer=3DC =3D US, ST =3D WA, L =3D Bellevue, O =3D Johnson & Johnson, OU = =3D client + OU =3D jnj, CN =3D rca-jnj-admin --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: ECDSA Server Temp Key: X25519, 253 bits --- SSL handshake has read 2254 bytes and written 391 bytes Verification: OK --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 256 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- SSL_connect:SSL negotiation finished successfully SSL_connect:SSL negotiation finished successfully --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: 4E6019F281D63D69D1C800DF4D2441CC918FF4A3AFA8A0A6D6D05FFB544= E91F2 Session-ID-ctx: Resumption PSK: A00E7F64B5EA00718122A6F34EF0EC9167F437BDB832D9C64834D18= F367E8AD2AD5F9BCF9649330D321DC19D0AB49882 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: 0000 - ea 7e 5b e0 3d 6f 9f 49-78 07 f5 c0 da 78 58 90 .~[.=3Do.Ix...= .xX. 0010 - 00 78 10 a6 94 fb 36 96-f9 8b 17 53 8b 27 14 b5 .x....6....S.'= .. 0020 - 5d 2d 28 3b db 26 71 44-65 c3 43 d6 8e e8 46 a8 ]-(;.&qDe.C...= F. 0030 - 05 8a 34 57 c0 42 71 03-4f 70 ad 20 07 74 fc 94 ..4W.Bq.Op. .t= .. 0040 - e8 e4 9d 89 d0 45 db 2c-62 4a 28 b6 31 f9 3f af .....E.,bJ(.1.= ?. 0050 - 46 7c f7 f8 9f b1 0b 7c-ea 70 a1 f0 4c 2f 62 0a F|.....|.p..L/= b. 0060 - e3 e9 83 47 0e f2 e5 71-a5 0c ba 2a 8d 7d f8 e2 ...G...q...*.}= .. 0070 - 21 84 1a 1a 86 4f 02 0a-4c 9a 17 77 af 9e 64 1f !....O..L..w..= d. 0080 - 72 c5 e5 45 d1 bb 92 0a-ae fe e9 b1 bc 46 7d 13 r..E.........F= }. 0090 - aa 2b 9b c1 3d 92 8b 1d-08 6c 11 12 a0 b7 c8 a3 .+..=3D....l..= .... 00a0 - b2 bb 2b d9 bd 70 86 0d-91 45 5c 23 b6 b0 6a 3a ..+..p...E\#..= j: 00b0 - 61 1d 3a c1 4a 36 48 b4-b3 03 a9 8b 41 94 fd 67 a.:.J6H.....A.= .g 00c0 - 53 a6 03 a4 ab c6 a0 7e-e9 39 98 a8 c9 01 bc c0 S......~.9....= .. Start Time: 1556123794 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no Max Early Data: 0 --- SSL_connect:SSLv3/TLS read server session ticket read R BLOCK SSL_connect:SSL negotiation finished successfully SSL_connect:SSL negotiation finished successfully --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: A7B81922756F8F5B986C7B38E0F29399F8127F52D042EB7D0DCEDB8D4CD= 577B5 Session-ID-ctx: Resumption PSK: 5FDD5DF642126A4F04D05EBBECDBB92BBCBAB6A7E05051224D64669= 3BBD0B964C039185F933442D400BBCBC92A832913 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: 0000 - ea 7e 5b e0 3d 6f 9f 49-78 07 f5 c0 da 78 58 90 .~[.=3Do.Ix...= .xX. 0010 - d3 10 28 b9 01 6b 4b 92-1e 3e ae 3b 7f 4e cc 6c ..(..kK..>.;.N= .l 0020 - 19 d3 0b ac 9c b9 21 4d-ed 78 2c 35 d3 03 ba 11 ......!M.x,5..= .. 0030 - 22 59 1c 0d 91 a5 da 93-a0 0a 54 88 aa 81 be 89 "Y........T...= .. 0040 - e0 2e 74 71 8e c8 fd f7-9d 5c 99 15 42 23 47 cf ..tq.....\..B#= G. 0050 - 0d 56 97 10 f3 f8 02 fe-69 65 e6 1c fa 7d 96 fe .V......ie...}= .. 0060 - 86 d2 c2 64 2c 6e 96 3d-14 e2 87 47 91 69 ef df ...d,n.=3D...G= .i.. 0070 - 14 d5 75 0d ff da 61 04-26 56 5d 8b d3 4d 2d 2d ..u...a.&V]..M= -- 0080 - 78 fa 65 6d ad ef 15 ba-14 45 f0 ba a6 85 fb 95 x.em.....E....= .. 0090 - dc e5 9b 1c ac e4 66 de-c2 6e 3f e7 1e 47 09 25 ......f..n?..G= .% 00a0 - 89 b0 c3 c0 4c 93 64 de-23 3e 58 67 ae f3 7e e4 ....L.d.#>Xg..= ~. 00b0 - d5 af 4d 31 40 24 87 da-ec e7 3f 8a 48 b5 9d 23 ..M1@$....?.H.= .# 00c0 - d4 53 01 fa 18 39 79 0f-9b 9c ea ed 71 63 c5 2f .S...9y.....qc= ./ Start Time: 1556123794 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no Max Early Data: 0 --- SSL_connect:SSLv3/TLS read server session ticket read R BLOCK SSL3 alert read:warning:close notify closed SSL3 alert write:warning:close notify vielle:/home/software/openldap-bug> ### There is no OpenLDAP bug here. Your server environment is broken. -- -- Howard Chu CTO, Symas Corp. https://eur04.safelinks.protection.outlook.com= /?url=3Dhttp%3A%2F%2Fwww.symas.com&data=3D02%7C01%7C%7Caca4f78e53324b52= 690008d6c8d3cc09%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C6369172093154= 07238&sdata=3DyzZvZLe34LJJfhMqjtBoGhJqMXnLSPdeBExlpYnMKqY%3D&reserv= ed=3D0 Director, Highland Sun https://eur04.safelinks.protection.outlook.com= /?url=3Dhttp%3A%2F%2Fhighlandsun.com%2Fhyc%2F&data=3D02%7C01%7C%7Caca4f= 78e53324b52690008d6c8d3cc09%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C63= 6917209315407238&sdata=3Dc%2B1myt04g7sv1kXBUCwd1bUgQV4HGrjAgYgsPoAXLpA%= 3D&reserved=3D0 Chief Architect, OpenLDAP https://eur04.safelinks.protection.outlook.com= /?url=3Dhttp%3A%2F%2Fwww.openldap.org%2Fproject%2F&data=3D02%7C01%7C%7C= aca4f78e53324b52690008d6c8d3cc09%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0= %7C636917209315407238&sdata=3DbMFyP0JzruNwnxXozQQnUVYg2WrYvQJ1PFDWdgkd6= zc%3D&reserved=3D0 --_000_MWHPR08MB2400F5334463D5A204E8CF88B53C0MWHPR08MB2400namp_ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <html> <head> <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Diso-8859-= 1"> <style type=3D"text/css" style=3D"display:none;"> P {margin-top:0;margin-bo= ttom:0;} </style> </head> <body dir=3D"ltr"> <div style=3D"font-family: Calibri, Helvetica, sans-serif; font-size: 12pt;= color: rgb(0, 0, 0);"> Wow! Thanks for responding so fast. This could be a bug in docker-openldap = then. we have repro'ed this in two different environments - mac and ubuntu.= Do you have a recommendation for docker image for openldap? </div> <div> <div id=3D"appendonsend"></div> <div style=3D"font-family:Calibri,Helvetica,sans-serif; font-size:12pt; col= or:rgb(0,0,0)"> <br> </div> <hr tabindex=3D"-1" style=3D"display:inline-block; width:98%"> <div id=3D"divRplyFwdMsg" dir=3D"ltr"><font face=3D"Calibri, sans-serif" co= lor=3D"#000000" style=3D"font-size:11pt"><b>From:</b> Howard Chu <hyc@sy= mas.com><br> <b>Sent:</b> Wednesday, April 24, 2019 9:42 AM<br> <b>To:</b> Siddharth Jain; openldap-its(a)OpenLDAP.org<br> <b>Subject:</b> Re: (ITS#9014) OpenLDAP modifies user provided TLS certific= ate before sending it to client</font> <div> </div> </div> <div class=3D"BodyFragment"><font size=3D"2"><span style=3D"font-size:11pt"= > <div class=3D"PlainText">Siddharth Jain wrote:<br> > we have documented complete steps to repro the bug here <<a hr= ef=3D"https://eur04.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fg= ithub.com%2Fsiddjain%2Fopenldap-bug&amp;data=3D02%7C01%7C%7Caca4f78e533= 24b52690008d6c8d3cc09%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C63691720= 9315407238&amp;sdata=3D8VfRtnCNPd%2BFo2Sps%2BLftBG3XcC57ReIFFphK6noyLc%= 3D&amp;reserved=3D0">https://eur04.safelinks.protection.outlook.com/?ur= l=3Dhttps%3A%2F%2Fgithub.com%2Fsiddjain%2Fopenldap-bug&amp;data=3D02%7C= 01%7C%7Caca4f78e53324b52690008d6c8d3cc09%7C84df9e7fe9f640afb435aaaaaaaaaaaa= %7C1%7C0%7C636917209315407238&amp;sdata=3D8VfRtnCNPd%2BFo2Sps%2BLftBG3X= cC57ReIFFphK6noyLc%3D&amp;reserved=3D0</a>> with container logs.<br> <br> I see no error here.<br> <br> Using your cert/key files:<br> <br> > ls -l /tmp/jnj<br> total 12<br> -rw-r--r-- 1 hyc hyc 1592 Apr 24 17:34 jnj-ca-chain.pem<br> -rw-r--r-- 1 hyc hyc  241 Apr 24 17:34 jnj-ldap-server-tls.key<br> -rw-r--r-- 1 hyc hyc 1111 Apr 24 17:34 jnj-ldap-server-tls.pem<br> <br> ###<br> <br> With this slapd config<br> vielle:~/OD/hobj/tests> cat testrun/slapd.1.conf<br> <br> include         ./schema/core.schem= a<br> include         ./schema/cosine.sch= ema<br> include         ./schema/inetorgper= son.schema<br> include         ./schema/openldap.s= chema<br> include         ./schema/nis.schema= <br> include         ./testdata/test.sch= ema<br> <br> pidfile         /home/hyc/OD/hobj/t= ests/testrun/slapd.1.pid<br> argsfile        /home/hyc/OD/hobj/tests/= testrun/slapd.1.args<br> <br> sockbuf_max_incoming 4194303<br> <br> TLSCAcertificatefile /tmp/jnj/jnj-ca-chain.pem<br> TLSCertificateFile /tmp/jnj/jnj-ldap-server-tls.pem<br> TLSCertificateKeyFile /tmp/jnj/jnj-ldap-server-tls.key<br> <br> <br> database        mdb<br> suffix          "dc=3Dexa= mple,dc=3Dcom"<br> rootdn          "cn=3DMan= ager,dc=3Dexample,dc=3Dcom"<br> rootpw          secret<br> directory       /home/hyc/OD/hobj/tests/testr= un/db.1.a<br> index           objectCla= ss     eq<br> index           cn,sn,uid=        pres,eq,sub<br> maxsize 33554432<br> <br> database        monitor<br> ###<br> <br> And this slapd invocation from the OpenLDAP build tree<br> vielle:~/OD/hobj/tests> ../servers/slapd/slapd -f testrun/slapd.1.conf -= h ldaps://:9011 -s0 -d7<br> <br> I get no verification error:<br> > openssl s_client -connect localhost:9011 -state -nbio -CAfile jnj-ca-c= hain.pem -showcerts<br> CONNECTED(00000005)<br> Turned on non blocking io<br> SSL_connect:before SSL initialization<br> SSL_connect:SSLv3/TLS write client hello<br> SSL_connect:error in SSLv3/TLS write client hello<br> write R BLOCK<br> SSL_connect:SSLv3/TLS write client hello<br> SSL_connect:SSLv3/TLS read server hello<br> SSL_connect:TLSv1.3 read encrypted extensions<br> depth=3D2 C =3D US, ST =3D WA, L =3D Bellevue, O =3D Johnson & Johnson,= CN =3D rca-jnj<br> verify return:1<br> depth=3D1 C =3D US, ST =3D WA, L =3D Bellevue, O =3D Johnson & Johnson,= OU =3D client + OU =3D jnj, CN =3D rca-jnj-admin<br> verify return:1<br> depth=3D0 C =3D US, ST =3D WA, L =3D Bellevue, O =3D Johnson & Johnson,= OU =3D client + OU =3D jnj, CN =3D jnj-ldap-server<br> verify return:1<br> SSL_connect:SSLv3/TLS read server certificate<br> SSL_connect:TLSv1.3 read server certificate verify<br> SSL_connect:SSLv3/TLS read finished<br> SSL_connect:SSLv3/TLS write change cipher spec<br> SSL_connect:SSLv3/TLS write finished<br> read R BLOCK<br> ---<br> Certificate chain<br>  0 s:C =3D US, ST =3D WA, L =3D Bellevue, O =3D Johnson & Johnson,= OU =3D client + OU =3D jnj, CN =3D jnj-ldap-server<br>    i:C =3D US, ST =3D WA, L =3D Bellevue, O =3D Johnson & Joh= nson, OU =3D client + OU =3D jnj, CN =3D rca-jnj-admin<br> -----BEGIN CERTIFICATE-----<br> MIIDBzCCAq2gAwIBAgIUcxrGrCSwJwlQhBEuKztfLgRrtygwCgYIKoZIzj0EAwIw<br> fjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMREwDwYDVQQHEwhCZWxsZXZ1ZTEa<br> MBgGA1UECgwRSm9obnNvbiAmIEpvaG5zb24xGzANBgNVBAsTBmNsaWVudDAKBgNV<br> BAsTA2puajEWMBQGA1UEAxMNcmNhLWpuai1hZG1pbjAeFw0xOTA0MjIxNzE0MDBa<br> Fw0yMDA0MjExNzE5MDBaMIGAMQswCQYDVQQGEwJVUzELMAkGA1UECBMCV0ExETAP<br> BgNVBAcTCEJlbGxldnVlMRowGAYDVQQKDBFKb2huc29uICYgSm9obnNvbjEbMA0G<br> A1UECxMGY2xpZW50MAoGA1UECxMDam5qMRgwFgYDVQQDEw9qbmotbGRhcC1zZXJ2<br> ZXIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARutu4G452HY8vYKJLw9VXmIuz+<br> X1XNNwyI6q7KzzwNmTwzWyHIVzxjqNTsTRqY0L0lLI1cko2LsIACqnJTed7yo4IB<br> BDCCAQAwDgYDVR0PAQH/BAQDAgOoMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF<br> BQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTPS+Zc8+ZDmpVS9XerpVD1gYL7<br= > cjAfBgNVHSMEGDAWgBTbr7PEPX6ZIN6APotjhLkd6hPeqDAaBgNVHREEEzARgg9q<br> bmotbGRhcC1zZXJ2ZXIwZQYIKgMEBQYHCAEEWXsiYXR0cnMiOnsiaGYuQWZmaWxp<br> YXRpb24iOiJqbmoiLCJoZi5FbnJvbGxtZW50SUQiOiJqbmotbGRhcC1zZXJ2ZXIi<br> LCJoZi5UeXBlIjoiY2xpZW50In19MAoGCCqGSM49BAMCA0gAMEUCIQDBbbexORUa<br> nrBJG8iSkADdOIW/ZOK7kbpLJ4x6GdTO8gIgfzOqW/9ZJKFM3PBls6bEVacoRLX9<br> AklAHxajASZK+UU=3D<br> -----END CERTIFICATE-----<br>  1 s:C =3D US, ST =3D WA, L =3D Bellevue, O =3D Johnson & Johnson,= OU =3D client + OU =3D jnj, CN =3D rca-jnj-admin<br>    i:C =3D US, ST =3D WA, L =3D Bellevue, O =3D Johnson & Joh= nson, CN =3D rca-jnj<br> -----BEGIN CERTIFICATE-----<br> MIICQTCCAeegAwIBAgIUBU9O3Wb3BDS8YuWRLYaKClbA9ZcwCgYIKoZIzj0EAwIw<br> WzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMREwDwYDVQQHEwhCZWxsZXZ1ZTEa<br> MBgGA1UECgwRSm9obnNvbiAmIEpvaG5zb24xEDAOBgNVBAMTB3JjYS1qbmowHhcN<br> MTkwMjAxMjMxOTAwWhcNMjQwMTMxMjMyNDAwWjB+MQswCQYDVQQGEwJVUzELMAkG<br> A1UECBMCV0ExETAPBgNVBAcTCEJlbGxldnVlMRowGAYDVQQKDBFKb2huc29uICYg<br> Sm9obnNvbjEbMA0GA1UECxMGY2xpZW50MAoGA1UECxMDam5qMRYwFAYDVQQDEw1y<br> Y2Etam5qLWFkbWluMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEk4b8f5mWq+jf<br> iMKQBVI8uU7btAF/LSSdXoOXYPW8JyJ23v5wtwRiQ/g4Al/6aIchvAC4QhJRUnz0<br> DMKuI7GCp6NmMGQwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAw<br> HQYDVR0OBBYEFNuvs8Q9fpkg3oA+i2OEuR3qE96oMB8GA1UdIwQYMBaAFBGV3Han<br> Nf1T5i8fvDh239lt5W9DMAoGCCqGSM49BAMCA0gAMEUCIQD/4+AUOMBdofQEVsH2<br> 2A6UGiJQvuplLEBA9in0cZTcCQIgcV5K+KCs3a5RNYUWdllakGx8c1f6ISrmk4an<br> gjeXphQ=3D<br> -----END CERTIFICATE-----<br>  2 s:C =3D US, ST =3D WA, L =3D Bellevue, O =3D Johnson & Johnson,= CN =3D rca-jnj<br>    i:C =3D US, ST =3D WA, L =3D Bellevue, O =3D Johnson & Joh= nson, CN =3D rca-jnj<br> -----BEGIN CERTIFICATE-----<br> MIIB/TCCAaOgAwIBAgIUSsxdq02aJCyaIHkIRxRdKvWYG9swCgYIKoZIzj0EAwIw<br> WzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMREwDwYDVQQHEwhCZWxsZXZ1ZTEa<br> MBgGA1UECgwRSm9obnNvbiAmIEpvaG5zb24xEDAOBgNVBAMTB3JjYS1qbmowHhcN<br> MTkwMjAxMjExNDAwWhcNMzQwMTI4MjExNDAwWjBbMQswCQYDVQQGEwJVUzELMAkG<br> A1UECBMCV0ExETAPBgNVBAcTCEJlbGxldnVlMRowGAYDVQQKDBFKb2huc29uICYg<br> Sm9obnNvbjEQMA4GA1UEAxMHcmNhLWpuajBZMBMGByqGSM49AgEGCCqGSM49AwEH<br> A0IABCF30Cn+O5sD/9n6d3IQQEGiceCTD7gG/5t4dHR4xmvm84HNgRngGKGF4fny<br> 6BXkPSyDguP+L5zozdWDb8dWTQejRTBDMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMB<br> Af8ECDAGAQH/AgEBMB0GA1UdDgQWBBQRldx2pzX9U+YvH7w4dt/ZbeVvQzAKBggq<br> hkjOPQQDAgNIADBFAiEAkCQcOP+PmyVIMgr/cUsk04qH8lXYO4DqDuH1WSNvGfEC<br> IBZQGRehpZ604FgkD0YqmiGRV/OzU99em0g3jkmWJbJY<br> -----END CERTIFICATE-----<br> ---<br> Server certificate<br> subject=3DC =3D US, ST =3D WA, L =3D Bellevue, O =3D Johnson & Johnson,= OU =3D client + OU =3D jnj, CN =3D jnj-ldap-server<br> <br> issuer=3DC =3D US, ST =3D WA, L =3D Bellevue, O =3D Johnson & Johnson, = OU =3D client + OU =3D jnj, CN =3D rca-jnj-admin<br> <br> ---<br> No client certificate CA names sent<br> Peer signing digest: SHA256<br> Peer signature type: ECDSA<br> Server Temp Key: X25519, 253 bits<br> ---<br> SSL handshake has read 2254 bytes and written 391 bytes<br> Verification: OK<br> ---<br> New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384<br> Server public key is 256 bit<br> Secure Renegotiation IS NOT supported<br> Compression: NONE<br> Expansion: NONE<br> No ALPN negotiated<br> Early data was not sent<br> Verify return code: 0 (ok)<br> ---<br> SSL_connect:SSL negotiation finished successfully<br> SSL_connect:SSL negotiation finished successfully<br> ---<br> Post-Handshake New Session Ticket arrived:<br> SSL-Session:<br>     Protocol  : TLSv1.3<br>     Cipher    : TLS_AES_256_GCM_SHA384<br>     Session-ID: 4E6019F281D63D69D1C800DF4D2441CC918FF4A3AFA8= A0A6D6D05FFB544E91F2<br>     Session-ID-ctx:<br>     Resumption PSK: A00E7F64B5EA00718122A6F34EF0EC9167F437BD= B832D9C64834D18F367E8AD2AD5F9BCF9649330D321DC19D0AB49882<br>     PSK identity: None<br>     PSK identity hint: None<br>     SRP username: None<br>     TLS session ticket lifetime hint: 7200 (seconds)<br>     TLS session ticket:<br>     0000 - ea 7e 5b e0 3d 6f 9f 49-78 07 f5 c0 da 78 58 90&n= bsp;  .~[.=3Do.Ix....xX.<br>     0010 - 00 78 10 a6 94 fb 36 96-f9 8b 17 53 8b 27 14 b5&n= bsp;  .x....6....S.'..<br>     0020 - 5d 2d 28 3b db 26 71 44-65 c3 43 d6 8e e8 46 a8&n= bsp;  ]-(;.&qDe.C...F.<br>     0030 - 05 8a 34 57 c0 42 71 03-4f 70 ad 20 07 74 fc 94&n= bsp;  ..4W.Bq.Op. .t..<br>     0040 - e8 e4 9d 89 d0 45 db 2c-62 4a 28 b6 31 f9 3f af&n= bsp;  .....E.,bJ(.1.?.<br>     0050 - 46 7c f7 f8 9f b1 0b 7c-ea 70 a1 f0 4c 2f 62 0a&n= bsp;  F|.....|.p..L/b.<br>     0060 - e3 e9 83 47 0e f2 e5 71-a5 0c ba 2a 8d 7d f8 e2&n= bsp;  ...G...q...*.}..<br>     0070 - 21 84 1a 1a 86 4f 02 0a-4c 9a 17 77 af 9e 64 1f&n= bsp;  !....O..L..w..d.<br>     0080 - 72 c5 e5 45 d1 bb 92 0a-ae fe e9 b1 bc 46 7d 13&n= bsp;  r..E.........F}.<br>     0090 - aa 2b 9b c1 3d 92 8b 1d-08 6c 11 12 a0 b7 c8 a3&n= bsp;  .+..=3D....l......<br>     00a0 - b2 bb 2b d9 bd 70 86 0d-91 45 5c 23 b6 b0 6a 3a&n= bsp;  ..+..p...E\#..j:<br>     00b0 - 61 1d 3a c1 4a 36 48 b4-b3 03 a9 8b 41 94 fd 67&n= bsp;  a.:.J6H.....A..g<br>     00c0 - 53 a6 03 a4 ab c6 a0 7e-e9 39 98 a8 c9 01 bc c0&n= bsp;  S......~.9......<br> <br>     Start Time: 1556123794<br>     Timeout   : 7200 (sec)<br>     Verify return code: 0 (ok)<br>     Extended master secret: no<br>     Max Early Data: 0<br> ---<br> SSL_connect:SSLv3/TLS read server session ticket<br> read R BLOCK<br> SSL_connect:SSL negotiation finished successfully<br> SSL_connect:SSL negotiation finished successfully<br> ---<br> Post-Handshake New Session Ticket arrived:<br> SSL-Session:<br>     Protocol  : TLSv1.3<br>     Cipher    : TLS_AES_256_GCM_SHA384<br>     Session-ID: A7B81922756F8F5B986C7B38E0F29399F8127F52D042= EB7D0DCEDB8D4CD577B5<br>     Session-ID-ctx:<br>     Resumption PSK: 5FDD5DF642126A4F04D05EBBECDBB92BBCBAB6A7= E05051224D646693BBD0B964C039185F933442D400BBCBC92A832913<br>     PSK identity: None<br>     PSK identity hint: None<br>     SRP username: None<br>     TLS session ticket lifetime hint: 7200 (seconds)<br>     TLS session ticket:<br>     0000 - ea 7e 5b e0 3d 6f 9f 49-78 07 f5 c0 da 78 58 90&n= bsp;  .~[.=3Do.Ix....xX.<br>     0010 - d3 10 28 b9 01 6b 4b 92-1e 3e ae 3b 7f 4e cc 6c&n= bsp;  ..(..kK..>.;.N.l<br>     0020 - 19 d3 0b ac 9c b9 21 4d-ed 78 2c 35 d3 03 ba 11&n= bsp;  ......!M.x,5....<br>     0030 - 22 59 1c 0d 91 a5 da 93-a0 0a 54 88 aa 81 be 89&n= bsp;  "Y........T.....<br>     0040 - e0 2e 74 71 8e c8 fd f7-9d 5c 99 15 42 23 47 cf&n= bsp;  ..tq.....\..B#G.<br>     0050 - 0d 56 97 10 f3 f8 02 fe-69 65 e6 1c fa 7d 96 fe&n= bsp;  .V......ie...}..<br>     0060 - 86 d2 c2 64 2c 6e 96 3d-14 e2 87 47 91 69 ef df&n= bsp;  ...d,n.=3D...G.i..<br>     0070 - 14 d5 75 0d ff da 61 04-26 56 5d 8b d3 4d 2d 2d&n= bsp;  ..u...a.&V]..M--<br>     0080 - 78 fa 65 6d ad ef 15 ba-14 45 f0 ba a6 85 fb 95&n= bsp;  x.em.....E......<br>     0090 - dc e5 9b 1c ac e4 66 de-c2 6e 3f e7 1e 47 09 25&n= bsp;  ......f..n?..G.%<br>     00a0 - 89 b0 c3 c0 4c 93 64 de-23 3e 58 67 ae f3 7e e4&n= bsp;  ....L.d.#>Xg..~.<br>     00b0 - d5 af 4d 31 40 24 87 da-ec e7 3f 8a 48 b5 9d 23&n= bsp;  ..M1@$....?.H..#<br>     00c0 - d4 53 01 fa 18 39 79 0f-9b 9c ea ed 71 63 c5 2f&n= bsp;  .S...9y.....qc./<br> <br>     Start Time: 1556123794<br>     Timeout   : 7200 (sec)<br>     Verify return code: 0 (ok)<br>     Extended master secret: no<br>     Max Early Data: 0<br> ---<br> SSL_connect:SSLv3/TLS read server session ticket<br> read R BLOCK<br> SSL3 alert read:warning:close notify<br> closed<br> SSL3 alert write:warning:close notify<br> vielle:/home/software/openldap-bug><br> ###<br> <br> There is no OpenLDAP bug here. Your server environment is broken.<br> -- <br>   -- Howard Chu<br>   CTO, Symas Corp.        &nbs= p;  <a href=3D"https://eur04.safelinks.protection.outlook.com/?url=3Dh= ttp%3A%2F%2Fwww.symas.com&amp;data=3D02%7C01%7C%7Caca4f78e53324b5269000= 8d6c8d3cc09%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636917209315407238= &amp;sdata=3DyzZvZLe34LJJfhMqjtBoGhJqMXnLSPdeBExlpYnMKqY%3D&amp;res= erved=3D0"> https://eur04.safelinks.protection.outlook.com/?url=3Dhttp%3A%2F%2Fwww.syma= s.com&amp;data=3D02%7C01%7C%7Caca4f78e53324b52690008d6c8d3cc09%7C84df9e= 7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636917209315407238&amp;sdata=3DyzZ= vZLe34LJJfhMqjtBoGhJqMXnLSPdeBExlpYnMKqY%3D&amp;reserved=3D0</a><br>   Director, Highland Sun     <a href=3D"https://eu= r04.safelinks.protection.outlook.com/?url=3Dhttp%3A%2F%2Fhighlandsun.com%2F= hyc%2F&amp;data=3D02%7C01%7C%7Caca4f78e53324b52690008d6c8d3cc09%7C84df9= e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636917209315407238&amp;sdata=3Dc%= 2B1myt04g7sv1kXBUCwd1bUgQV4HGrjAgYgsPoAXLpA%3D&amp;reserved=3D0"> https://eur04.safelinks.protection.outlook.com/?url=3Dhttp%3A%2F%2Fhighland= sun.com%2Fhyc%2F&amp;data=3D02%7C01%7C%7Caca4f78e53324b52690008d6c8d3cc= 09%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636917209315407238&amp;= sdata=3Dc%2B1myt04g7sv1kXBUCwd1bUgQV4HGrjAgYgsPoAXLpA%3D&amp;reserved= =3D0</a><br>   Chief Architect, OpenLDAP  <a href=3D"https://eur04.safelinks.p= rotection.outlook.com/?url=3Dhttp%3A%2F%2Fwww.openldap.org%2Fproject%2F&amp= ;amp;data=3D02%7C01%7C%7Caca4f78e53324b52690008d6c8d3cc09%7C84df9e7fe9f640a= fb435aaaaaaaaaaaa%7C1%7C0%7C636917209315407238&amp;sdata=3DbMFyP0JzruNw= nxXozQQnUVYg2WrYvQJ1PFDWdgkd6zc%3D&amp;reserved=3D0"> https://eur04.safelinks.protection.outlook.com/?url=3Dhttp%3A%2F%2Fwww.open= ldap.org%2Fproject%2F&amp;data=3D02%7C01%7C%7Caca4f78e53324b52690008d6c= 8d3cc09%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636917209315407238&amp= ;amp;sdata=3DbMFyP0JzruNwnxXozQQnUVYg2WrYvQJ1PFDWdgkd6zc%3D&amp;reserve= d=3D0</a><br> </div> </span></font></div> </div> </body> </html> --_000_MWHPR08MB2400F5334463D5A204E8CF88B53C0MWHPR08MB2400namp_--

1 0

Re: (ITS#9014) OpenLDAP modifies user provided TLS certificate before sending it to client
by hyc＠symas.com 24 Apr '19

24 Apr '19

Siddharth Jain wrote: > we have documented complete steps to repro the bug=A0here <https://gith= ub.com/siddjain/openldap-bug>=A0with container logs. I see no error here. Using your cert/key files: > ls -l /tmp/jnj total 12 -rw-r--r-- 1 hyc hyc 1592 Apr 24 17:34 jnj-ca-chain.pem -rw-r--r-- 1 hyc hyc 241 Apr 24 17:34 jnj-ldap-server-tls.key -rw-r--r-- 1 hyc hyc 1111 Apr 24 17:34 jnj-ldap-server-tls.pem ### With this slapd config vielle:~/OD/hobj/tests> cat testrun/slapd.1.conf include ./schema/core.schema include ./schema/cosine.schema include ./schema/inetorgperson.schema include ./schema/openldap.schema include ./schema/nis.schema include ./testdata/test.schema pidfile /home/hyc/OD/hobj/tests/testrun/slapd.1.pid argsfile /home/hyc/OD/hobj/tests/testrun/slapd.1.args sockbuf_max_incoming 4194303 TLSCAcertificatefile /tmp/jnj/jnj-ca-chain.pem TLSCertificateFile /tmp/jnj/jnj-ldap-server-tls.pem TLSCertificateKeyFile /tmp/jnj/jnj-ldap-server-tls.key database mdb suffix "dc=3Dexample,dc=3Dcom" rootdn "cn=3DManager,dc=3Dexample,dc=3Dcom" rootpw secret directory /home/hyc/OD/hobj/tests/testrun/db.1.a index objectClass eq index cn,sn,uid pres,eq,sub maxsize 33554432 database monitor ### And this slapd invocation from the OpenLDAP build tree vielle:~/OD/hobj/tests> ../servers/slapd/slapd -f testrun/slapd.1.conf -h= ldaps://:9011 -s0 -d7 I get no verification error: > openssl s_client -connect localhost:9011 -state -nbio -CAfile jnj-ca-ch= ain.pem -showcerts CONNECTED(00000005) Turned on non blocking io SSL_connect:before SSL initialization SSL_connect:SSLv3/TLS write client hello SSL_connect:error in SSLv3/TLS write client hello write R BLOCK SSL_connect:SSLv3/TLS write client hello SSL_connect:SSLv3/TLS read server hello SSL_connect:TLSv1.3 read encrypted extensions depth=3D2 C =3D US, ST =3D WA, L =3D Bellevue, O =3D Johnson & Johnson, C= N =3D rca-jnj verify return:1 depth=3D1 C =3D US, ST =3D WA, L =3D Bellevue, O =3D Johnson & Johnson, O= U =3D client + OU =3D jnj, CN =3D rca-jnj-admin verify return:1 depth=3D0 C =3D US, ST =3D WA, L =3D Bellevue, O =3D Johnson & Johnson, O= U =3D client + OU =3D jnj, CN =3D jnj-ldap-server verify return:1 SSL_connect:SSLv3/TLS read server certificate SSL_connect:TLSv1.3 read server certificate verify SSL_connect:SSLv3/TLS read finished SSL_connect:SSLv3/TLS write change cipher spec SSL_connect:SSLv3/TLS write finished read R BLOCK --- Certificate chain 0 s:C =3D US, ST =3D WA, L =3D Bellevue, O =3D Johnson & Johnson, OU =3D= client + OU =3D jnj, CN =3D jnj-ldap-server i:C =3D US, ST =3D WA, L =3D Bellevue, O =3D Johnson & Johnson, OU =3D= client + OU =3D jnj, CN =3D rca-jnj-admin -----BEGIN CERTIFICATE----- MIIDBzCCAq2gAwIBAgIUcxrGrCSwJwlQhBEuKztfLgRrtygwCgYIKoZIzj0EAwIw fjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMREwDwYDVQQHEwhCZWxsZXZ1ZTEa MBgGA1UECgwRSm9obnNvbiAmIEpvaG5zb24xGzANBgNVBAsTBmNsaWVudDAKBgNV BAsTA2puajEWMBQGA1UEAxMNcmNhLWpuai1hZG1pbjAeFw0xOTA0MjIxNzE0MDBa Fw0yMDA0MjExNzE5MDBaMIGAMQswCQYDVQQGEwJVUzELMAkGA1UECBMCV0ExETAP BgNVBAcTCEJlbGxldnVlMRowGAYDVQQKDBFKb2huc29uICYgSm9obnNvbjEbMA0G A1UECxMGY2xpZW50MAoGA1UECxMDam5qMRgwFgYDVQQDEw9qbmotbGRhcC1zZXJ2 ZXIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARutu4G452HY8vYKJLw9VXmIuz+ X1XNNwyI6q7KzzwNmTwzWyHIVzxjqNTsTRqY0L0lLI1cko2LsIACqnJTed7yo4IB BDCCAQAwDgYDVR0PAQH/BAQDAgOoMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF BQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTPS+Zc8+ZDmpVS9XerpVD1gYL7 cjAfBgNVHSMEGDAWgBTbr7PEPX6ZIN6APotjhLkd6hPeqDAaBgNVHREEEzARgg9q bmotbGRhcC1zZXJ2ZXIwZQYIKgMEBQYHCAEEWXsiYXR0cnMiOnsiaGYuQWZmaWxp YXRpb24iOiJqbmoiLCJoZi5FbnJvbGxtZW50SUQiOiJqbmotbGRhcC1zZXJ2ZXIi LCJoZi5UeXBlIjoiY2xpZW50In19MAoGCCqGSM49BAMCA0gAMEUCIQDBbbexORUa nrBJG8iSkADdOIW/ZOK7kbpLJ4x6GdTO8gIgfzOqW/9ZJKFM3PBls6bEVacoRLX9 AklAHxajASZK+UU=3D -----END CERTIFICATE----- 1 s:C =3D US, ST =3D WA, L =3D Bellevue, O =3D Johnson & Johnson, OU =3D= client + OU =3D jnj, CN =3D rca-jnj-admin i:C =3D US, ST =3D WA, L =3D Bellevue, O =3D Johnson & Johnson, CN =3D= rca-jnj -----BEGIN CERTIFICATE----- MIICQTCCAeegAwIBAgIUBU9O3Wb3BDS8YuWRLYaKClbA9ZcwCgYIKoZIzj0EAwIw WzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMREwDwYDVQQHEwhCZWxsZXZ1ZTEa MBgGA1UECgwRSm9obnNvbiAmIEpvaG5zb24xEDAOBgNVBAMTB3JjYS1qbmowHhcN MTkwMjAxMjMxOTAwWhcNMjQwMTMxMjMyNDAwWjB+MQswCQYDVQQGEwJVUzELMAkG A1UECBMCV0ExETAPBgNVBAcTCEJlbGxldnVlMRowGAYDVQQKDBFKb2huc29uICYg Sm9obnNvbjEbMA0GA1UECxMGY2xpZW50MAoGA1UECxMDam5qMRYwFAYDVQQDEw1y Y2Etam5qLWFkbWluMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEk4b8f5mWq+jf iMKQBVI8uU7btAF/LSSdXoOXYPW8JyJ23v5wtwRiQ/g4Al/6aIchvAC4QhJRUnz0 DMKuI7GCp6NmMGQwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAw HQYDVR0OBBYEFNuvs8Q9fpkg3oA+i2OEuR3qE96oMB8GA1UdIwQYMBaAFBGV3Han Nf1T5i8fvDh239lt5W9DMAoGCCqGSM49BAMCA0gAMEUCIQD/4+AUOMBdofQEVsH2 2A6UGiJQvuplLEBA9in0cZTcCQIgcV5K+KCs3a5RNYUWdllakGx8c1f6ISrmk4an gjeXphQ=3D -----END CERTIFICATE----- 2 s:C =3D US, ST =3D WA, L =3D Bellevue, O =3D Johnson & Johnson, CN =3D= rca-jnj i:C =3D US, ST =3D WA, L =3D Bellevue, O =3D Johnson & Johnson, CN =3D= rca-jnj -----BEGIN CERTIFICATE----- MIIB/TCCAaOgAwIBAgIUSsxdq02aJCyaIHkIRxRdKvWYG9swCgYIKoZIzj0EAwIw WzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMREwDwYDVQQHEwhCZWxsZXZ1ZTEa MBgGA1UECgwRSm9obnNvbiAmIEpvaG5zb24xEDAOBgNVBAMTB3JjYS1qbmowHhcN MTkwMjAxMjExNDAwWhcNMzQwMTI4MjExNDAwWjBbMQswCQYDVQQGEwJVUzELMAkG A1UECBMCV0ExETAPBgNVBAcTCEJlbGxldnVlMRowGAYDVQQKDBFKb2huc29uICYg Sm9obnNvbjEQMA4GA1UEAxMHcmNhLWpuajBZMBMGByqGSM49AgEGCCqGSM49AwEH A0IABCF30Cn+O5sD/9n6d3IQQEGiceCTD7gG/5t4dHR4xmvm84HNgRngGKGF4fny 6BXkPSyDguP+L5zozdWDb8dWTQejRTBDMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMB Af8ECDAGAQH/AgEBMB0GA1UdDgQWBBQRldx2pzX9U+YvH7w4dt/ZbeVvQzAKBggq hkjOPQQDAgNIADBFAiEAkCQcOP+PmyVIMgr/cUsk04qH8lXYO4DqDuH1WSNvGfEC IBZQGRehpZ604FgkD0YqmiGRV/OzU99em0g3jkmWJbJY -----END CERTIFICATE----- --- Server certificate subject=3DC =3D US, ST =3D WA, L =3D Bellevue, O =3D Johnson & Johnson, O= U =3D client + OU =3D jnj, CN =3D jnj-ldap-server issuer=3DC =3D US, ST =3D WA, L =3D Bellevue, O =3D Johnson & Johnson, OU= =3D client + OU =3D jnj, CN =3D rca-jnj-admin --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: ECDSA Server Temp Key: X25519, 253 bits --- SSL handshake has read 2254 bytes and written 391 bytes Verification: OK --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 256 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- SSL_connect:SSL negotiation finished successfully SSL_connect:SSL negotiation finished successfully --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: 4E6019F281D63D69D1C800DF4D2441CC918FF4A3AFA8A0A6D6D05FFB5= 44E91F2 Session-ID-ctx: Resumption PSK: A00E7F64B5EA00718122A6F34EF0EC9167F437BDB832D9C64834D= 18F367E8AD2AD5F9BCF9649330D321DC19D0AB49882 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: 0000 - ea 7e 5b e0 3d 6f 9f 49-78 07 f5 c0 da 78 58 90 .~[.=3Do.Ix.= ...xX. 0010 - 00 78 10 a6 94 fb 36 96-f9 8b 17 53 8b 27 14 b5 .x....6....S= .'.. 0020 - 5d 2d 28 3b db 26 71 44-65 c3 43 d6 8e e8 46 a8 ]-(;.&qDe.C.= ..F. 0030 - 05 8a 34 57 c0 42 71 03-4f 70 ad 20 07 74 fc 94 ..4W.Bq.Op. = .t.. 0040 - e8 e4 9d 89 d0 45 db 2c-62 4a 28 b6 31 f9 3f af .....E.,bJ(.= 1.?. 0050 - 46 7c f7 f8 9f b1 0b 7c-ea 70 a1 f0 4c 2f 62 0a F|.....|.p..= L/b. 0060 - e3 e9 83 47 0e f2 e5 71-a5 0c ba 2a 8d 7d f8 e2 ...G...q...*= .}.. 0070 - 21 84 1a 1a 86 4f 02 0a-4c 9a 17 77 af 9e 64 1f !....O..L..w= ..d. 0080 - 72 c5 e5 45 d1 bb 92 0a-ae fe e9 b1 bc 46 7d 13 r..E........= .F}. 0090 - aa 2b 9b c1 3d 92 8b 1d-08 6c 11 12 a0 b7 c8 a3 .+..=3D....l= ...... 00a0 - b2 bb 2b d9 bd 70 86 0d-91 45 5c 23 b6 b0 6a 3a ..+..p...E\#= ..j: 00b0 - 61 1d 3a c1 4a 36 48 b4-b3 03 a9 8b 41 94 fd 67 a.:.J6H.....= A..g 00c0 - 53 a6 03 a4 ab c6 a0 7e-e9 39 98 a8 c9 01 bc c0 S......~.9..= .... Start Time: 1556123794 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no Max Early Data: 0 --- SSL_connect:SSLv3/TLS read server session ticket read R BLOCK SSL_connect:SSL negotiation finished successfully SSL_connect:SSL negotiation finished successfully --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: A7B81922756F8F5B986C7B38E0F29399F8127F52D042EB7D0DCEDB8D4= CD577B5 Session-ID-ctx: Resumption PSK: 5FDD5DF642126A4F04D05EBBECDBB92BBCBAB6A7E05051224D646= 693BBD0B964C039185F933442D400BBCBC92A832913 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: 0000 - ea 7e 5b e0 3d 6f 9f 49-78 07 f5 c0 da 78 58 90 .~[.=3Do.Ix.= ...xX. 0010 - d3 10 28 b9 01 6b 4b 92-1e 3e ae 3b 7f 4e cc 6c ..(..kK..>.;= .N.l 0020 - 19 d3 0b ac 9c b9 21 4d-ed 78 2c 35 d3 03 ba 11 ......!M.x,5= .... 0030 - 22 59 1c 0d 91 a5 da 93-a0 0a 54 88 aa 81 be 89 "Y........T.= .... 0040 - e0 2e 74 71 8e c8 fd f7-9d 5c 99 15 42 23 47 cf ..tq.....\..= B#G. 0050 - 0d 56 97 10 f3 f8 02 fe-69 65 e6 1c fa 7d 96 fe .V......ie..= .}.. 0060 - 86 d2 c2 64 2c 6e 96 3d-14 e2 87 47 91 69 ef df ...d,n.=3D..= .G.i.. 0070 - 14 d5 75 0d ff da 61 04-26 56 5d 8b d3 4d 2d 2d ..u...a.&V].= .M-- 0080 - 78 fa 65 6d ad ef 15 ba-14 45 f0 ba a6 85 fb 95 x.em.....E..= .... 0090 - dc e5 9b 1c ac e4 66 de-c2 6e 3f e7 1e 47 09 25 ......f..n?.= .G.% 00a0 - 89 b0 c3 c0 4c 93 64 de-23 3e 58 67 ae f3 7e e4 ....L.d.#>Xg= ..~. 00b0 - d5 af 4d 31 40 24 87 da-ec e7 3f 8a 48 b5 9d 23 ..M1@$....?.= H..# 00c0 - d4 53 01 fa 18 39 79 0f-9b 9c ea ed 71 63 c5 2f .S...9y.....= qc./ Start Time: 1556123794 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no Max Early Data: 0 --- SSL_connect:SSLv3/TLS read server session ticket read R BLOCK SSL3 alert read:warning:close notify closed SSL3 alert write:warning:close notify vielle:/home/software/openldap-bug> ### There is no OpenLDAP bug here. Your server environment is broken. --=20 -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#9014) OpenLDAP modifies user provided TLS certificate before sending it to client
by siddjain＠live.com 24 Apr '19

24 Apr '19

--_000_MWHPR08MB24001BB2C0F56927A628AF69B53C0MWHPR08MB2400namp_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable we have documented complete steps to repro the bug here<https://github.com/= siddjain/openldap-bug> with container logs. ________________________________ From: Howard Chu <hyc(a)symas.com> Sent: Monday, April 22, 2019 10:15 AM To: siddjain(a)live.com; openldap-its(a)OpenLDAP.org Subject: Re: (ITS#9014) OpenLDAP modifies user provided TLS certificate bef= ore sending it to client siddjain(a)live.com wrote: > Full_Name: SIDDHARTH JAIN > Version: 2.4.45 > OS: Linux > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (173.226.196.10) > > > In some cases, OpenLDAP will modify the TLS certificate given to it befor= e > sending it over to the client resulting in a certificate signature error.= An > example of certificate it modifies is given below: OpenLDAP never touches the certificates you configure. If you're getting a = corrupted certificate then there's either a bug in your storage/filesystem or in your= SSL/TLS library. -- -- Howard Chu CTO, Symas Corp. https://eur04.safelinks.protection.outlook.com= /?url=3Dhttp%3A%2F%2Fwww.symas.com&data=3D02%7C01%7C%7Cb0dec02e090a48ff= 954b08d6c7462da0%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C6369155015543= 63548&sdata=3D7ca82woC2PGsf9x0qYDT1izZ5MSqJbxA4T9m8kq5y2Y%3D&reserv= ed=3D0 Director, Highland Sun https://eur04.safelinks.protection.outlook.com= /?url=3Dhttp%3A%2F%2Fhighlandsun.com%2Fhyc%2F&data=3D02%7C01%7C%7Cb0dec= 02e090a48ff954b08d6c7462da0%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C63= 6915501554363548&sdata=3DFr3v%2FI3WSXtWqXOFDY%2F9Z4%2FqS%2F%2FvC4YMJQDR= GNjx8Lo%3D&reserved=3D0 Chief Architect, OpenLDAP https://eur04.safelinks.protection.outlook.com= /?url=3Dhttp%3A%2F%2Fwww.openldap.org%2Fproject%2F&data=3D02%7C01%7C%7C= b0dec02e090a48ff954b08d6c7462da0%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0= %7C636915501554373561&sdata=3DJ%2B926RRaeQIx6%2BIvx70BnHqZ0zj4SO5ilR6VP= vdiTsk%3D&reserved=3D0 --_000_MWHPR08MB24001BB2C0F56927A628AF69B53C0MWHPR08MB2400namp_ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <html> <head> <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Diso-8859-= 1"> <style type=3D"text/css" style=3D"display:none;"> P {margin-top:0;margin-bo= ttom:0;} </style> </head> <body dir=3D"ltr"> <div style=3D"font-family: Calibri, Helvetica, sans-serif; font-size: 12pt;= color: rgb(0, 0, 0);"> <span style=3D"color: rgb(36, 41, 46); font-family: -apple-system, system-u= i, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Em= oji", "Segoe UI Emoji", "Segoe UI Symbol"; font-si= ze: 14px; background-color: rgb(255, 255, 255); display: inline !important"= >we have documented complete steps to repro the bug<span> </span></span><= a href=3D"https://github.com/siddjain/openldap-bug" style=3D"box-sizing: bo= rder-box; background-color: rgb(255, 255, 255); color: rgb(3, 102, 214); fo= nt-family: -apple-system, system-ui, "Segoe UI", Helvetica, Arial= , sans-serif, "Apple Color Emoji", "Segoe UI Emoji", &q= uot;Segoe UI Symbol"; font-size: 14px">here</a><span style=3D"color: r= gb(36, 41, 46); font-family: -apple-system, system-ui, "Segoe UI"= , Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe = UI Emoji", "Segoe UI Symbol"; font-size: 14px; background-co= lor: rgb(255, 255, 255); display: inline !important"><span> </span>wit= h container logs.</span><br> </div> <div> <div id=3D"appendonsend"></div> <div style=3D"font-family:Calibri,Helvetica,sans-serif; font-size:12pt; col= or:rgb(0,0,0)"> <br> </div> <hr tabindex=3D"-1" style=3D"display:inline-block; width:98%"> <div id=3D"divRplyFwdMsg" dir=3D"ltr"><font face=3D"Calibri, sans-serif" co= lor=3D"#000000" style=3D"font-size:11pt"><b>From:</b> Howard Chu <hyc@sy= mas.com><br> <b>Sent:</b> Monday, April 22, 2019 10:15 AM<br> <b>To:</b> siddjain(a)live.com; openldap-its(a)OpenLDAP.org<br> <b>Subject:</b> Re: (ITS#9014) OpenLDAP modifies user provided TLS certific= ate before sending it to client</font> <div> </div> </div> <div class=3D"BodyFragment"><font size=3D"2"><span style=3D"font-size:11pt"= > <div class=3D"PlainText">siddjain(a)live.com wrote:<br> > Full_Name: SIDDHARTH JAIN<br> > Version: 2.4.45<br> > OS: Linux<br> > URL: <a href=3D"ftp://ftp.openldap.org/incoming/">ftp://ftp.openldap.o= rg/incoming/</a><br> > Submission from: (NULL) (173.226.196.10)<br> > <br> > <br> > In some cases, OpenLDAP will modify the TLS certificate given to it be= fore<br> > sending it over to the client resulting in a certificate signature err= or. An<br> > example of certificate it modifies is given below:<br> <br> OpenLDAP never touches the certificates you configure. If you're getting a = corrupted<br> certificate then there's either a bug in your storage/filesystem or in your= SSL/TLS library.<br> <br> -- <br>   -- Howard Chu<br>   CTO, Symas Corp.        &nbs= p;  <a href=3D"https://eur04.safelinks.protection.outlook.com/?url=3Dh= ttp%3A%2F%2Fwww.symas.com&amp;data=3D02%7C01%7C%7Cb0dec02e090a48ff954b0= 8d6c7462da0%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636915501554363548= &amp;sdata=3D7ca82woC2PGsf9x0qYDT1izZ5MSqJbxA4T9m8kq5y2Y%3D&amp;res= erved=3D0"> https://eur04.safelinks.protection.outlook.com/?url=3Dhttp%3A%2F%2Fwww.syma= s.com&amp;data=3D02%7C01%7C%7Cb0dec02e090a48ff954b08d6c7462da0%7C84df9e= 7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636915501554363548&amp;sdata=3D7ca= 82woC2PGsf9x0qYDT1izZ5MSqJbxA4T9m8kq5y2Y%3D&amp;reserved=3D0</a><br>   Director, Highland Sun     <a href=3D"https://eu= r04.safelinks.protection.outlook.com/?url=3Dhttp%3A%2F%2Fhighlandsun.com%2F= hyc%2F&amp;data=3D02%7C01%7C%7Cb0dec02e090a48ff954b08d6c7462da0%7C84df9= e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636915501554363548&amp;sdata=3DFr= 3v%2FI3WSXtWqXOFDY%2F9Z4%2FqS%2F%2FvC4YMJQDRGNjx8Lo%3D&amp;reserved=3D0= "> https://eur04.safelinks.protection.outlook.com/?url=3Dhttp%3A%2F%2Fhighland= sun.com%2Fhyc%2F&amp;data=3D02%7C01%7C%7Cb0dec02e090a48ff954b08d6c7462d= a0%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636915501554363548&amp;= sdata=3DFr3v%2FI3WSXtWqXOFDY%2F9Z4%2FqS%2F%2FvC4YMJQDRGNjx8Lo%3D&amp;re= served=3D0</a><br>   Chief Architect, OpenLDAP  <a href=3D"https://eur04.safelinks.p= rotection.outlook.com/?url=3Dhttp%3A%2F%2Fwww.openldap.org%2Fproject%2F&amp= ;amp;data=3D02%7C01%7C%7Cb0dec02e090a48ff954b08d6c7462da0%7C84df9e7fe9f640a= fb435aaaaaaaaaaaa%7C1%7C0%7C636915501554373561&amp;sdata=3DJ%2B926RRaeQ= Ix6%2BIvx70BnHqZ0zj4SO5ilR6VPvdiTsk%3D&amp;reserved=3D0"> https://eur04.safelinks.protection.outlook.com/?url=3Dhttp%3A%2F%2Fwww.open= ldap.org%2Fproject%2F&amp;data=3D02%7C01%7C%7Cb0dec02e090a48ff954b08d6c= 7462da0%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636915501554373561&amp= ;amp;sdata=3DJ%2B926RRaeQIx6%2BIvx70BnHqZ0zj4SO5ilR6VPvdiTsk%3D&amp;res= erved=3D0</a><br> </div> </span></font></div> </div> </body> </html> --_000_MWHPR08MB24001BB2C0F56927A628AF69B53C0MWHPR08MB2400namp_--

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs