Re: (ITS#6994) Syncrepl with MozNSS inherits TLS context form main configuration breaking some syncrepl setups - openldap-bugs

25 Jul 2011

      On 07/11/2011 10:44 AM, thibault.lemeur@supelec.fr wrote:
...
Full_Name: Thibault Le Meur
Version: 2.4.23-15
OS: RHEL6
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (160.228.28.55)
Previously on my FC13 installation (openldap-servers-2.4.21-11) the main slapd
process used an X509 "server" while my syncrepl processes were using the
/etc/openldap/ldap.conf client configuration file in order to connect to my
LDAPs Syncrepl providers.
In my new RHEL6 setup (openldap-servers-2.4.23-15.el6.x86_64) is linked to
MozNSS and Syncrepl can't connect to my LDAPs providers anymore because it
complains about the TLS context not beeing intitialized correctly (the server's
certificate isn't accepted as a client certificate).
Here is the lightly obfuscated log:

ldap_connect_to_host: Trying 10.10.10.10:636
ldap_pvt_connect: fd: 21 tm: -1 async: 0
TLS: loaded CA certificate file /etc/ssl/cacerts/cacert.pem.
TLS: certificate [CN=myldap.mydom.fr,OU=myou,O=myorg,L=myloc,ST=myst,C=FR] is
not valid - error -8101:Unknown code ___f 91.
TLS: error: unable to set up client certificate authentication for certificate
named PEM Token #0:myldap.mydom.fr-cert.pem - 0
TLS: error: unable to set up client certificate authentication using PEM Token
#0:myldap.mydom.fr-cert.pem - 0
TLS: error: could not initialize moznss security context - error -8101:Unknown
code ___f 91
TLS: can't create ssl handle.
slap_client_connect: URI=ldaps://otherldap.mydom.fr
DN="cn=myreplicationAccount,dc=mydom,dc=fr" ldap_sasl_bind_s failed (-1)
do_syncrepl: rid=125 rc -1 retrying (9 retries left)

Here is my syncrepl setup:
syncrepl rid=125
         provider=ldaps://otherldap.mydom.fr
         type=refreshOnly
         interval=00:00:03:00
         retry="60 10 300 +"
         searchbase="dc=subranch,dc=mydom,dc=fr"
         filter="(objectClass=*)"
         scope=sub
         schemachecking=off
         bindmethod=simple
         binddn="cn=myreplicationAccount,dc=mydom,dc=fr"
         credentials="MyVerySecretPassword"

My setup related to TLS:
TLSCipherSuite          HIGH
TLSCertificateFile      /etc/ssl/certs/myldap.mydom.fr-cert.pem
TLSCertificateKeyFile   /etc/ssl/keys/myldap.mydom.fr-key.pem
TLSCACertificateFile /etc/ssl/cacerts/cacert.pem

And my /etc/openldap/ldap.conf:
TLS_CACERT /etc/ssl/cacerts/cacert.pem
Here is the obfuscated certificate:
Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 221 (0xdd)
         Signature Algorithm: sha1WithRSAEncryption
         Issuer: C=FR, ST=myst, L=myloc, O=myorg, OU=myou,
CN=myCA/emailAddress=myemail@mydom.fr
         Validity
             Not Before: Oct  2 16:42:15 2007 GMT
             Not After : Dec 14 16:42:15 2012 GMT
         Subject: C=FR, ST=myst, L=myloc, O=myorg, OU=myou, CN=myldap.mydom.fr
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
                 Public-Key: (2048 bit)
                 Modulus:
...
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints:
                 CA:FALSE
             Netscape Cert Type:
                 SSL Server
             Netscape Comment:
                 TinyCA Generated Certificate
             X509v3 Subject Key Identifier:
                 ...
             X509v3 Authority Key Identifier:
                 keyid:...
                 DirName:/C=FR/ST=myst/L=myloc/O=myorg/OU=myou/CN=myCA/emailAddress=thibault.lemeur@supelec.fr
                 serial:00
         X509v3 Issuer Alternative Name:

<EMPTY>
         Netscape SSL Server Name:
             myldap.mydom.fr
         X509v3 Subject Alternative Name:
             DNS:ldap, DNS:ldapalias1, DNS:ldapalias2,

DNS:ldapalias1.mydom.fr, DNS:ldapalias2.mydom.fr, DNS:ldap.mydom.fr, DNS:myldap,
DNS:myldap.mydom.fr
             X509v3 Extended Key Usage: critical
                 TLS Web Server Authentication, Code Signing
     Signature Algorithm: sha1WithRSAEncryption
         ...

I think this ITS is superseded by 
http://www.openldap.org/its/index.cgi?findid=7001 and 
http://www.openldap.org/its/index.cgi?findid=7002
Note that even with openldap built with openssl (ol 2.4.latest and 
openssl 1.0.x), the syncrepl tls context is inherited from the main 
server context, and the server cert is sent as the client cert.  If the 
server sets TLSVerifyClient to never or allow, syncrepl will work, 
because the server will ignore the problems with the client cert.  But 
if TLSVerifyClient is set to "try", "demand", or "hard", syncrepl will 
fail because the server always sends the server cert as the client cert, 
and since the server cert cannot also be used as a client cert, the 
server will correctly reject it.