Re: (ITS#9014) OpenLDAP modifies user provided TLS certificate before sending it to client
Siddharth Jain wrote:
we have documented complete steps to repro the bug=A0here <https://gith=
ub.com/siddjain/openldap-bug>=A0with container logs.
I see no error here.
Using your cert/key files:
ls -l /tmp/jnj
total 12 -rw-r--r-- 1 hyc hyc 1592 Apr 24 17:34 jnj-ca-chain.pem -rw-r--r-- 1 hyc hyc 241 Apr 24 17:34 jnj-ldap-server-tls.key -rw-r--r-- 1 hyc hyc 1111 Apr 24 17:34 jnj-ldap-server-tls.pem
###
With this slapd config vielle:~/OD/hobj/tests> cat testrun/slapd.1.conf
include ./schema/core.schema include ./schema/cosine.schema include ./schema/inetorgperson.schema include ./schema/openldap.schema include ./schema/nis.schema include ./testdata/test.schema
pidfile /home/hyc/OD/hobj/tests/testrun/slapd.1.pid argsfile /home/hyc/OD/hobj/tests/testrun/slapd.1.args
sockbuf_max_incoming 4194303
TLSCAcertificatefile /tmp/jnj/jnj-ca-chain.pem TLSCertificateFile /tmp/jnj/jnj-ldap-server-tls.pem TLSCertificateKeyFile /tmp/jnj/jnj-ldap-server-tls.key
database mdb suffix "dc=3Dexample,dc=3Dcom" rootdn "cn=3DManager,dc=3Dexample,dc=3Dcom" rootpw secret directory /home/hyc/OD/hobj/tests/testrun/db.1.a index objectClass eq index cn,sn,uid pres,eq,sub maxsize 33554432
database monitor ###
And this slapd invocation from the OpenLDAP build tree vielle:~/OD/hobj/tests> ../servers/slapd/slapd -f testrun/slapd.1.conf -h= ldaps://:9011 -s0 -d7
I get no verification error:
openssl s_client -connect localhost:9011 -state -nbio -CAfile jnj-ca-ch=
ain.pem -showcerts CONNECTED(00000005) Turned on non blocking io SSL_connect:before SSL initialization SSL_connect:SSLv3/TLS write client hello SSL_connect:error in SSLv3/TLS write client hello write R BLOCK SSL_connect:SSLv3/TLS write client hello SSL_connect:SSLv3/TLS read server hello SSL_connect:TLSv1.3 read encrypted extensions depth=3D2 C =3D US, ST =3D WA, L =3D Bellevue, O =3D Johnson & Johnson, C= N =3D rca-jnj verify return:1 depth=3D1 C =3D US, ST =3D WA, L =3D Bellevue, O =3D Johnson & Johnson, O= U =3D client + OU =3D jnj, CN =3D rca-jnj-admin verify return:1 depth=3D0 C =3D US, ST =3D WA, L =3D Bellevue, O =3D Johnson & Johnson, O= U =3D client + OU =3D jnj, CN =3D jnj-ldap-server verify return:1 SSL_connect:SSLv3/TLS read server certificate SSL_connect:TLSv1.3 read server certificate verify SSL_connect:SSLv3/TLS read finished SSL_connect:SSLv3/TLS write change cipher spec SSL_connect:SSLv3/TLS write finished read R BLOCK --- Certificate chain 0 s:C =3D US, ST =3D WA, L =3D Bellevue, O =3D Johnson & Johnson, OU =3D= client + OU =3D jnj, CN =3D jnj-ldap-server i:C =3D US, ST =3D WA, L =3D Bellevue, O =3D Johnson & Johnson, OU =3D= client + OU =3D jnj, CN =3D rca-jnj-admin -----BEGIN CERTIFICATE----- MIIDBzCCAq2gAwIBAgIUcxrGrCSwJwlQhBEuKztfLgRrtygwCgYIKoZIzj0EAwIw fjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMREwDwYDVQQHEwhCZWxsZXZ1ZTEa MBgGA1UECgwRSm9obnNvbiAmIEpvaG5zb24xGzANBgNVBAsTBmNsaWVudDAKBgNV BAsTA2puajEWMBQGA1UEAxMNcmNhLWpuai1hZG1pbjAeFw0xOTA0MjIxNzE0MDBa Fw0yMDA0MjExNzE5MDBaMIGAMQswCQYDVQQGEwJVUzELMAkGA1UECBMCV0ExETAP BgNVBAcTCEJlbGxldnVlMRowGAYDVQQKDBFKb2huc29uICYgSm9obnNvbjEbMA0G A1UECxMGY2xpZW50MAoGA1UECxMDam5qMRgwFgYDVQQDEw9qbmotbGRhcC1zZXJ2 ZXIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARutu4G452HY8vYKJLw9VXmIuz+ X1XNNwyI6q7KzzwNmTwzWyHIVzxjqNTsTRqY0L0lLI1cko2LsIACqnJTed7yo4IB BDCCAQAwDgYDVR0PAQH/BAQDAgOoMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF BQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTPS+Zc8+ZDmpVS9XerpVD1gYL7 cjAfBgNVHSMEGDAWgBTbr7PEPX6ZIN6APotjhLkd6hPeqDAaBgNVHREEEzARgg9q bmotbGRhcC1zZXJ2ZXIwZQYIKgMEBQYHCAEEWXsiYXR0cnMiOnsiaGYuQWZmaWxp YXRpb24iOiJqbmoiLCJoZi5FbnJvbGxtZW50SUQiOiJqbmotbGRhcC1zZXJ2ZXIi LCJoZi5UeXBlIjoiY2xpZW50In19MAoGCCqGSM49BAMCA0gAMEUCIQDBbbexORUa nrBJG8iSkADdOIW/ZOK7kbpLJ4x6GdTO8gIgfzOqW/9ZJKFM3PBls6bEVacoRLX9 AklAHxajASZK+UU=3D -----END CERTIFICATE----- 1 s:C =3D US, ST =3D WA, L =3D Bellevue, O =3D Johnson & Johnson, OU =3D= client + OU =3D jnj, CN =3D rca-jnj-admin i:C =3D US, ST =3D WA, L =3D Bellevue, O =3D Johnson & Johnson, CN =3D= rca-jnj -----BEGIN CERTIFICATE----- MIICQTCCAeegAwIBAgIUBU9O3Wb3BDS8YuWRLYaKClbA9ZcwCgYIKoZIzj0EAwIw WzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMREwDwYDVQQHEwhCZWxsZXZ1ZTEa MBgGA1UECgwRSm9obnNvbiAmIEpvaG5zb24xEDAOBgNVBAMTB3JjYS1qbmowHhcN MTkwMjAxMjMxOTAwWhcNMjQwMTMxMjMyNDAwWjB+MQswCQYDVQQGEwJVUzELMAkG A1UECBMCV0ExETAPBgNVBAcTCEJlbGxldnVlMRowGAYDVQQKDBFKb2huc29uICYg Sm9obnNvbjEbMA0GA1UECxMGY2xpZW50MAoGA1UECxMDam5qMRYwFAYDVQQDEw1y Y2Etam5qLWFkbWluMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEk4b8f5mWq+jf iMKQBVI8uU7btAF/LSSdXoOXYPW8JyJ23v5wtwRiQ/g4Al/6aIchvAC4QhJRUnz0 DMKuI7GCp6NmMGQwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAw HQYDVR0OBBYEFNuvs8Q9fpkg3oA+i2OEuR3qE96oMB8GA1UdIwQYMBaAFBGV3Han Nf1T5i8fvDh239lt5W9DMAoGCCqGSM49BAMCA0gAMEUCIQD/4+AUOMBdofQEVsH2 2A6UGiJQvuplLEBA9in0cZTcCQIgcV5K+KCs3a5RNYUWdllakGx8c1f6ISrmk4an gjeXphQ=3D -----END CERTIFICATE----- 2 s:C =3D US, ST =3D WA, L =3D Bellevue, O =3D Johnson & Johnson, CN =3D= rca-jnj i:C =3D US, ST =3D WA, L =3D Bellevue, O =3D Johnson & Johnson, CN =3D= rca-jnj -----BEGIN CERTIFICATE----- MIIB/TCCAaOgAwIBAgIUSsxdq02aJCyaIHkIRxRdKvWYG9swCgYIKoZIzj0EAwIw WzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMREwDwYDVQQHEwhCZWxsZXZ1ZTEa MBgGA1UECgwRSm9obnNvbiAmIEpvaG5zb24xEDAOBgNVBAMTB3JjYS1qbmowHhcN MTkwMjAxMjExNDAwWhcNMzQwMTI4MjExNDAwWjBbMQswCQYDVQQGEwJVUzELMAkG A1UECBMCV0ExETAPBgNVBAcTCEJlbGxldnVlMRowGAYDVQQKDBFKb2huc29uICYg Sm9obnNvbjEQMA4GA1UEAxMHcmNhLWpuajBZMBMGByqGSM49AgEGCCqGSM49AwEH A0IABCF30Cn+O5sD/9n6d3IQQEGiceCTD7gG/5t4dHR4xmvm84HNgRngGKGF4fny 6BXkPSyDguP+L5zozdWDb8dWTQejRTBDMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMB Af8ECDAGAQH/AgEBMB0GA1UdDgQWBBQRldx2pzX9U+YvH7w4dt/ZbeVvQzAKBggq hkjOPQQDAgNIADBFAiEAkCQcOP+PmyVIMgr/cUsk04qH8lXYO4DqDuH1WSNvGfEC IBZQGRehpZ604FgkD0YqmiGRV/OzU99em0g3jkmWJbJY -----END CERTIFICATE----- --- Server certificate subject=3DC =3D US, ST =3D WA, L =3D Bellevue, O =3D Johnson & Johnson, O= U =3D client + OU =3D jnj, CN =3D jnj-ldap-server
issuer=3DC =3D US, ST =3D WA, L =3D Bellevue, O =3D Johnson & Johnson, OU= =3D client + OU =3D jnj, CN =3D rca-jnj-admin
--- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: ECDSA Server Temp Key: X25519, 253 bits --- SSL handshake has read 2254 bytes and written 391 bytes Verification: OK --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 256 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- SSL_connect:SSL negotiation finished successfully SSL_connect:SSL negotiation finished successfully --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: 4E6019F281D63D69D1C800DF4D2441CC918FF4A3AFA8A0A6D6D05FFB5= 44E91F2 Session-ID-ctx: Resumption PSK: A00E7F64B5EA00718122A6F34EF0EC9167F437BDB832D9C64834D= 18F367E8AD2AD5F9BCF9649330D321DC19D0AB49882 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: 0000 - ea 7e 5b e0 3d 6f 9f 49-78 07 f5 c0 da 78 58 90 .~[.=3Do.Ix.= ...xX. 0010 - 00 78 10 a6 94 fb 36 96-f9 8b 17 53 8b 27 14 b5 .x....6....S= .'.. 0020 - 5d 2d 28 3b db 26 71 44-65 c3 43 d6 8e e8 46 a8 ]-(;.&qDe.C.= ..F. 0030 - 05 8a 34 57 c0 42 71 03-4f 70 ad 20 07 74 fc 94 ..4W.Bq.Op. = .t.. 0040 - e8 e4 9d 89 d0 45 db 2c-62 4a 28 b6 31 f9 3f af .....E.,bJ(.= 1.?. 0050 - 46 7c f7 f8 9f b1 0b 7c-ea 70 a1 f0 4c 2f 62 0a F|.....|.p..= L/b. 0060 - e3 e9 83 47 0e f2 e5 71-a5 0c ba 2a 8d 7d f8 e2 ...G...q...*= .}.. 0070 - 21 84 1a 1a 86 4f 02 0a-4c 9a 17 77 af 9e 64 1f !....O..L..w= ..d. 0080 - 72 c5 e5 45 d1 bb 92 0a-ae fe e9 b1 bc 46 7d 13 r..E........= .F}. 0090 - aa 2b 9b c1 3d 92 8b 1d-08 6c 11 12 a0 b7 c8 a3 .+..=3D....l= ...... 00a0 - b2 bb 2b d9 bd 70 86 0d-91 45 5c 23 b6 b0 6a 3a ..+..p...E#= ..j: 00b0 - 61 1d 3a c1 4a 36 48 b4-b3 03 a9 8b 41 94 fd 67 a.:.J6H.....= A..g 00c0 - 53 a6 03 a4 ab c6 a0 7e-e9 39 98 a8 c9 01 bc c0 S......~.9..= ....
Start Time: 1556123794 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no Max Early Data: 0 --- SSL_connect:SSLv3/TLS read server session ticket read R BLOCK SSL_connect:SSL negotiation finished successfully SSL_connect:SSL negotiation finished successfully --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: A7B81922756F8F5B986C7B38E0F29399F8127F52D042EB7D0DCEDB8D4= CD577B5 Session-ID-ctx: Resumption PSK: 5FDD5DF642126A4F04D05EBBECDBB92BBCBAB6A7E05051224D646= 693BBD0B964C039185F933442D400BBCBC92A832913 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: 0000 - ea 7e 5b e0 3d 6f 9f 49-78 07 f5 c0 da 78 58 90 .~[.=3Do.Ix.= ...xX. 0010 - d3 10 28 b9 01 6b 4b 92-1e 3e ae 3b 7f 4e cc 6c ..(..kK..>.;= .N.l 0020 - 19 d3 0b ac 9c b9 21 4d-ed 78 2c 35 d3 03 ba 11 ......!M.x,5= .... 0030 - 22 59 1c 0d 91 a5 da 93-a0 0a 54 88 aa 81 be 89 "Y........T.= .... 0040 - e0 2e 74 71 8e c8 fd f7-9d 5c 99 15 42 23 47 cf ..tq.......= B#G. 0050 - 0d 56 97 10 f3 f8 02 fe-69 65 e6 1c fa 7d 96 fe .V......ie..= .}.. 0060 - 86 d2 c2 64 2c 6e 96 3d-14 e2 87 47 91 69 ef df ...d,n.=3D..= .G.i.. 0070 - 14 d5 75 0d ff da 61 04-26 56 5d 8b d3 4d 2d 2d ..u...a.&V].= .M-- 0080 - 78 fa 65 6d ad ef 15 ba-14 45 f0 ba a6 85 fb 95 x.em.....E..= .... 0090 - dc e5 9b 1c ac e4 66 de-c2 6e 3f e7 1e 47 09 25 ......f..n?.= .G.% 00a0 - 89 b0 c3 c0 4c 93 64 de-23 3e 58 67 ae f3 7e e4 ....L.d.#>Xg= ..~. 00b0 - d5 af 4d 31 40 24 87 da-ec e7 3f 8a 48 b5 9d 23 ..M1@$....?.= H..# 00c0 - d4 53 01 fa 18 39 79 0f-9b 9c ea ed 71 63 c5 2f .S...9y.....= qc./
Start Time: 1556123794 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no Max Early Data: 0 --- SSL_connect:SSLv3/TLS read server session ticket read R BLOCK SSL3 alert read:warning:close notify closed SSL3 alert write:warning:close notify vielle:/home/software/openldap-bug> ###
There is no OpenLDAP bug here. Your server environment is broken. --=20 -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
-
hyc@symas.com