--_000_MWHPR08MB24001BB2C0F56927A628AF69B53C0MWHPR08MB2400namp_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
we have documented complete steps to repro the bug herehttps://github.com/= siddjain/openldap-bug with container logs.
________________________________ From: Howard Chu hyc@symas.com Sent: Monday, April 22, 2019 10:15 AM To: siddjain@live.com; openldap-its@OpenLDAP.org Subject: Re: (ITS#9014) OpenLDAP modifies user provided TLS certificate bef= ore sending it to client
siddjain@live.com wrote:
Full_Name: SIDDHARTH JAIN Version: 2.4.45 OS: Linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (173.226.196.10)
In some cases, OpenLDAP will modify the TLS certificate given to it befor=
e
sending it over to the client resulting in a certificate signature error.=
An
example of certificate it modifies is given below:
OpenLDAP never touches the certificates you configure. If you're getting a = corrupted certificate then there's either a bug in your storage/filesystem or in your= SSL/TLS library.
-- -- Howard Chu CTO, Symas Corp. https://eur04.safelinks.protection.outlook.com= /?url=3Dhttp%3A%2F%2Fwww.symas.com&data=3D02%7C01%7C%7Cb0dec02e090a48ff= 954b08d6c7462da0%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C6369155015543= 63548&sdata=3D7ca82woC2PGsf9x0qYDT1izZ5MSqJbxA4T9m8kq5y2Y%3D&reserv= ed=3D0 Director, Highland Sun https://eur04.safelinks.protection.outlook.com= /?url=3Dhttp%3A%2F%2Fhighlandsun.com%2Fhyc%2F&data=3D02%7C01%7C%7Cb0dec= 02e090a48ff954b08d6c7462da0%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C63= 6915501554363548&sdata=3DFr3v%2FI3WSXtWqXOFDY%2F9Z4%2FqS%2F%2FvC4YMJQDR= GNjx8Lo%3D&reserved=3D0 Chief Architect, OpenLDAP https://eur04.safelinks.protection.outlook.com= /?url=3Dhttp%3A%2F%2Fwww.openldap.org%2Fproject%2F&data=3D02%7C01%7C%7C= b0dec02e090a48ff954b08d6c7462da0%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0= %7C636915501554373561&sdata=3DJ%2B926RRaeQIx6%2BIvx70BnHqZ0zj4SO5ilR6VP= vdiTsk%3D&reserved=3D0
--_000_MWHPR08MB24001BB2C0F56927A628AF69B53C0MWHPR08MB2400namp_ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
<html> <head> <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Diso-8859-= 1"> <style type=3D"text/css" style=3D"display:none;"> P {margin-top:0;margin-bo= ttom:0;} </style> </head> <body dir=3D"ltr"> <div style=3D"font-family: Calibri, Helvetica, sans-serif; font-size: 12pt;= color: rgb(0, 0, 0);"> <span style=3D"color: rgb(36, 41, 46); font-family: -apple-system, system-u= i, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Em= oji", "Segoe UI Emoji", "Segoe UI Symbol"; font-si= ze: 14px; background-color: rgb(255, 255, 255); display: inline !important"=
we
have documented complete steps to repro the bug<span> </span></span><= a href=3D"https://github.com/siddjain/openldap-bug" style=3D"box-sizing: bo= rder-box; background-color: rgb(255, 255, 255); color: rgb(3, 102, 214); fo= nt-family: -apple-system, system-ui, "Segoe UI", Helvetica, Arial= , sans-serif, "Apple Color Emoji", "Segoe UI Emoji", &q= uot;Segoe UI Symbol"; font-size: 14px">here</a><span style=3D"color: r= gb(36, 41, 46); font-family: -apple-system, system-ui, "Segoe UI"= , Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe = UI Emoji", "Segoe UI Symbol"; font-size: 14px; background-co= lor: rgb(255, 255, 255); display: inline !important"><span> </span>wit= h container logs.</span><br> </div> <div> <div id=3D"appendonsend"></div> <div style=3D"font-family:Calibri,Helvetica,sans-serif; font-size:12pt; col= or:rgb(0,0,0)"> <br> </div> <hr tabindex=3D"-1" style=3D"display:inline-block; width:98%"> <div id=3D"divRplyFwdMsg" dir=3D"ltr"><font face=3D"Calibri, sans-serif" co= lor=3D"#000000" style=3D"font-size:11pt"><b>From:</b> Howard Chu <hyc@sy= mas.com><br> <b>Sent:</b> Monday, April 22, 2019 10:15 AM<br> <b>To:</b> siddjain@live.com; openldap-its@OpenLDAP.org<br> <b>Subject:</b> Re: (ITS#9014) OpenLDAP modifies user provided TLS certific= ate before sending it to client</font> <div> </div> </div> <div class=3D"BodyFragment"><font size=3D"2"><span style=3D"font-size:11pt"=
<div class=3D"PlainText">siddjain@live.com wrote:<br> > Full_Name: SIDDHARTH JAIN<br> > Version: 2.4.45<br> > OS: Linux<br> > URL: <a href=3D"ftp://ftp.openldap.org/incoming/">ftp://ftp.openldap.o= rg/incoming/</a><br> > Submission from: (NULL) (173.226.196.10)<br> > <br> > <br> > In some cases, OpenLDAP will modify the TLS certificate given to it be= fore<br> > sending it over to the client resulting in a certificate signature err= or. An<br> > example of certificate it modifies is given below:<br> <br> OpenLDAP never touches the certificates you configure. If you're getting a = corrupted<br> certificate then there's either a bug in your storage/filesystem or in your= SSL/TLS library.<br> <br> -- <br> -- Howard Chu<br> CTO, Symas Corp. &nbs= p; <a href=3D"https://eur04.safelinks.protection.outlook.com/?url=3Dh= ttp%3A%2F%2Fwww.symas.com&amp;data=3D02%7C01%7C%7Cb0dec02e090a48ff954b0= 8d6c7462da0%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636915501554363548= &amp;sdata=3D7ca82woC2PGsf9x0qYDT1izZ5MSqJbxA4T9m8kq5y2Y%3D&amp;res= erved=3D0"> https://eur04.safelinks.protection.outlook.com/?url=3Dhttp%3A%2F%2Fwww.syma= s.com&amp;data=3D02%7C01%7C%7Cb0dec02e090a48ff954b08d6c7462da0%7C84df9e= 7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636915501554363548&amp;sdata=3D7ca= 82woC2PGsf9x0qYDT1izZ5MSqJbxA4T9m8kq5y2Y%3D&amp;reserved=3D0</a><br> Director, Highland Sun <a href=3D"https://eu= r04.safelinks.protection.outlook.com/?url=3Dhttp%3A%2F%2Fhighlandsun.com%2F= hyc%2F&amp;data=3D02%7C01%7C%7Cb0dec02e090a48ff954b08d6c7462da0%7C84df9= e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636915501554363548&amp;sdata=3DFr= 3v%2FI3WSXtWqXOFDY%2F9Z4%2FqS%2F%2FvC4YMJQDRGNjx8Lo%3D&amp;reserved=3D0= "> https://eur04.safelinks.protection.outlook.com/?url=3Dhttp%3A%2F%2Fhighland= sun.com%2Fhyc%2F&amp;data=3D02%7C01%7C%7Cb0dec02e090a48ff954b08d6c7462d= a0%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636915501554363548&amp;= sdata=3DFr3v%2FI3WSXtWqXOFDY%2F9Z4%2FqS%2F%2FvC4YMJQDRGNjx8Lo%3D&amp;re= served=3D0</a><br> Chief Architect, OpenLDAP <a href=3D"https://eur04.safelinks.p= rotection.outlook.com/?url=3Dhttp%3A%2F%2Fwww.openldap.org%2Fproject%2F&= ;amp;data=3D02%7C01%7C%7Cb0dec02e090a48ff954b08d6c7462da0%7C84df9e7fe9f640a= fb435aaaaaaaaaaaa%7C1%7C0%7C636915501554373561&amp;sdata=3DJ%2B926RRaeQ= Ix6%2BIvx70BnHqZ0zj4SO5ilR6VPvdiTsk%3D&amp;reserved=3D0"> https://eur04.safelinks.protection.outlook.com/?url=3Dhttp%3A%2F%2Fwww.open= ldap.org%2Fproject%2F&amp;data=3D02%7C01%7C%7Cb0dec02e090a48ff954b08d6c= 7462da0%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636915501554373561&= ;amp;sdata=3DJ%2B926RRaeQIx6%2BIvx70BnHqZ0zj4SO5ilR6VPvdiTsk%3D&amp;res= erved=3D0</a><br> </div> </span></font></div> </div> </body> </html>
--_000_MWHPR08MB24001BB2C0F56927A628AF69B53C0MWHPR08MB2400namp_--