(ITS#8002) SSL fails with olcTLSVerifyClient=allow when ITS 7979 patch is applied - openldap-bugs

11 Dec 2014


      Full_Name: Rik Theys
Version: 2.4.40
OS: Fedora 21
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (134.58.253.57)
Hi,
After upgrading from Fedora 20 to 21 my client machine could no longer connect
to our LDAP server. Fedora links openldap with nss for TLS. It throws the
following error:
TLS: certdb config: configDir='/etc/openldap/cacerts' tokenDescription='ldap(0)'
certPrefix='' keyPrefix='' flags=readOnly
TLS: cannot open certdb '/etc/openldap/cacerts', error -8018:Unknown PKCS #11
error.
TLS: loaded CA certificate file /etc/openldap/cacerts/a9b3780c.0 from CA
certificate directory /etc/openldap/cacerts.
TLS: loaded CA certificate file /etc/openldap/cacerts/f4033bb2.0 from CA
certificate directory /etc/openldap/cacerts.
TLS: skipping 'cacert.pem' - filename does not have expected format (certificate
hash with numeric suffix)
TLS: skipping 'esat.pem' - filename does not have expected format (certificate
hash with numeric suffix)
TLS: certificate [CN=wheezy-test.esat.kuleuven.be,OU=ESAT,O=KU
Leuven,ST=Leuven,C=BE] is valid
TLS: error: connect - force handshake failure: errno 0 - moznss error -12256
TLS: can't connect: TLS error -12256:SSL received a malformed Certificate
Request handshake message..
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
I downgraded to fedora package 2.4.40-1.fc21 which did not have this bug.
The only difference between 2.4.40-1.fc21 and 2.4.40-2.fc21 is a backported
patch for ITS #7979 which adds TLS 1+ support.
I tried to reproduce this on a test machine and was initially unable to
reproduce it there. Comparing the config of the test machine with our failing
LDAP servers only showed a difference for the olcTLSVerifyClient setting.
When the LDAP server does not have 'olcTLSVerifyClient: allow' in its
configuration, it works. Once I set this parameter in the server configuration,
the error above appears and LDAP connections are broken.
The patch looks OK so maybe there's something wrong when openldap uses a higher
TLS version and the bug it to be found there?
I've also filed this bug in the fedora bug tracker:
https://bugzilla.redhat.com/show_bug.cgi?id=1172638
Regards,
Rik