(ITS#9176) libldap support for TLSv1.3 Encrypted SNI - openldap-bugs

20 Feb 2020


      Full_Name: Ryan Tandy
Version: master
OS: Debian
URL: 
Submission from: (NULL) (70.66.128.207)
Submitted by: ryan
ldap.google.com requires clients to support SNI and sends back an intentionally
invalid certificate if it is not used. Affects libldap with both OpenSSL and
GnuTLS. (Might want a separate ITS for each fix.)
With OpenSSL:
$ ./clients/tools/ldapsearch -H ldaps://ldap.google.com -x -d1
ldap_url_parse_ext(ldaps://ldap.google.com)
ldap_create
ldap_url_parse_ext(ldaps://ldap.google.com:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap.google.com:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 216.239.32.58:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLS trace: SSL_connect:before SSL initialization
TLS trace: SSL_connect:SSLv3/TLS write client hello
TLS trace: SSL_connect:SSLv3/TLS write client hello
TLS trace: SSL_connect:SSLv3/TLS read server hello
TLS trace: SSL_connect:TLSv1.3 read encrypted extensions
TLS trace: SSL_connect:SSLv3/TLS read server certificate request
TLS certificate verification: depth: 0, err: 18, subject: /OU=No SNI provided;
please fix your client./CN=invalid2.invalid, issuer: /OU=No SNI provided; please
fix your client./CN=invalid2.invalid
TLS certificate verification: Error, self signed certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in error
TLS: can't connect: error:1416F086:SSL
routines:tls_process_server_certificate:certificate verify failed (self signed
certificate).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
With GnuTLS:
$ ./clients/tools/ldapsearch -H ldaps://ldap.google.com -x -d1
ldap_url_parse_ext(ldaps://ldap.google.com)
ldap_create
ldap_url_parse_ext(ldaps://ldap.google.com:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap.google.com:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 216.239.32.58:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLS: peer cert untrusted or revoked (0x42)
TLS: can't connect: (unknown error code).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
When the client does not support SNI, this server sends back a dummy
certificate:
OU = "No SNI provided; please fix your client.", CN = invalid2.invalid
which obviously does not validate. The same behaviour can be seen with "openssl
s_client -noservername" or "gnutls-cli --disable-sni".
For GnuTLS, we have to call gnutls_server_name_set(3) to enable SNI. The
documentation notes that it should only be called with a DNS name, not with an
IP address. I guess there's a corresponding call for OpenSSL.
With GnuTLS, users can work around it for the short term by disabling TLSv1.3
via priority string, i.e.:
LDAPTLS_CIPHER_SUITE='NORMAL:!VERS-TLS1.3' ./clients/tools/ldapsearch -H
ldaps://ldap.google.com -x
Not sure if the same can be done with OpenSSL.