(ITS#9014) OpenLDAP modifies user provided TLS certificate before sending it to client - openldap-bugs

22 Apr 2019


      Full_Name: SIDDHARTH JAIN
Version: 2.4.45
OS: Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (173.226.196.10)
In some cases, OpenLDAP will modify the TLS certificate given to it before
sending it over to the client resulting in a certificate signature error. An
example of certificate it modifies is given below:
-----BEGIN CERTIFICATE-----
MIIDBzCCAq2gAwIBAgIULFEF1JLNT6p0mzk7sbK8vQM/R+0wCgYIKoZIzj0EAwIw
fjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMREwDwYDVQQHEwhCZWxsZXZ1ZTEa
MBgGA1UECgwRSm9obnNvbiAmIEpvaG5zb24xGzANBgNVBAsTBmNsaWVudDAKBgNV
BAsTA2puajEWMBQGA1UEAxMNcmNhLWpuai1hZG1pbjAeFw0xOTA0MTcxNjQ5MDBa
Fw0yMDA0MTYxNjU0MDBaMIGAMQswCQYDVQQGEwJVUzELMAkGA1UECBMCV0ExETAP
BgNVBAcTCEJlbGxldnVlMRowGAYDVQQKDBFKb2huc29uICYgSm9obnNvbjEbMA0G
A1UECxMGY2xpZW50MAoGA1UECxMDam5qMRgwFgYDVQQDEw9qbmotbGRhcC1zZXJ2
ZXIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATQ+ACOVmhx0kUAMqLdl6i+s2//
3CgJi7YIYs4wwgMipNK7+s70Wwyva7lv6r2rOrpGOtlifCw4zSXB1E+DxKXho4IB
BDCCAQAwDgYDVR0PAQH/BAQDAgOoMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
BQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBT6olgSiuvK/c1P3/Gx+ljQL3yk
FzAfBgNVHSMEGDAWgBTbr7PEPX6ZIN6APotjhLkd6hPeqDAaBgNVHREEEzARgg9q
bmotbGRhcC1zZXJ2ZXIwZQYIKgMEBQYHCAEEWXsiYXR0cnMiOnsiaGYuQWZmaWxp
YXRpb24iOiJqbmoiLCJoZi5FbnJvbGxtZW50SUQiOiJqbmotbGRhcC1zZXJ2ZXIi
LCJoZi5UeXBlIjoiY2xpZW50In19MAoGCCqGSM49BAMCA0gAMEUCIQCN9saDTwXZ
4cefM27rUFT/1TqC3c7w8+NZNrJO3IYYFAIgHkGUYGABgiIEeQXyprd4AuLGhIZE
mkhMI0uVeKWj1Jc=
-----END CERTIFICATE-----
The certificate returned to the client is however:
-----BEGIN CERTIFICATE-----
MIIDBzCCAq2gAwIBAgIULFEF1JLNT6p0mzk7sbK8vQM/R+0wCgYIKoZIzj0EAwIw
fjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMREwDwYDVQQHEwhCZWxsZXZ1ZTEa
MBgGA1UECgwRSm9obnNvbiAmIEpvaG5zb24xGzAKBgNVBAsTA2puajANBgNVBAsT
BmNsaWVudDEWMBQGA1UEAxMNcmNhLWpuai1hZG1pbjAeFw0xOTA0MTcxNjQ5MDBa
Fw0yMDA0MTYxNjU0MDBaMIGAMQswCQYDVQQGEwJVUzELMAkGA1UECBMCV0ExETAP
BgNVBAcTCEJlbGxldnVlMRowGAYDVQQKDBFKb2huc29uICYgSm9obnNvbjEbMAoG
A1UECxMDam5qMA0GA1UECxMGY2xpZW50MRgwFgYDVQQDEw9qbmotbGRhcC1zZXJ2
ZXIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATQ+ACOVmhx0kUAMqLdl6i+s2//
3CgJi7YIYs4wwgMipNK7+s70Wwyva7lv6r2rOrpGOtlifCw4zSXB1E+DxKXho4IB
BDCCAQAwDgYDVR0PAQH/BAQDAgOoMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
BQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBT6olgSiuvK/c1P3/Gx+ljQL3yk
FzAfBgNVHSMEGDAWgBTbr7PEPX6ZIN6APotjhLkd6hPeqDAaBgNVHREEEzARgg9q
bmotbGRhcC1zZXJ2ZXIwZQYIKgMEBQYHCAEEWXsiYXR0cnMiOnsiaGYuQWZmaWxp
YXRpb24iOiJqbmoiLCJoZi5FbnJvbGxtZW50SUQiOiJqbmotbGRhcC1zZXJ2ZXIi
LCJoZi5UeXBlIjoiY2xpZW50In19MAoGCCqGSM49BAMCA0gAMEUCIQCN9saDTwXZ
4cefM27rUFT/1TqC3c7w8+NZNrJO3IYYFAIgHkGUYGABgiIEeQXyprd4AuLGhIZE
mkhMI0uVeKWj1Jc=
-----END CERTIFICATE-----
which is different.
The setup on which we have tested this is using the osixia/openldap docker image
https://github.com/osixia/docker-openldap. we are able to reproduce the error on
both mac and ubuntu.
The server is started using following command:
docker run -p 636:636 \
--name $NAME \
--volume ${PWD}/data/slapd/database:/var/lib/ldap \
--volume ${PWD}/data/slapd/config:/etc/ldap/slapd.d \
--volume ${PWD}/data/slapd/certs:/container/service/slapd/assets/certs \
--env LDAP_TLS_VERIFY_CLIENT=never \
--env LDAP_TLS_ENFORCE=true \
--env HOSTNAME=jnj-ldap-server \
--env LDAP_DOMAIN="jnj.com" \
--env LDAP_ADMIN_PASSWORD="superman" \
--env LDAP_LOG_LEVEL:-1 \
--detach osixia/openldap:1.2.4 --loglevel debug --copy-service
and below is result of running openssl
root@6fc2ae248018:/usr/src/app# openssl s_client -state -nbio -connect
jnj-ldap-server:636 -CAfile jnj-ca-chain.pem -showcerts
CONNECTED(00000003)
Turned on non blocking io
SSL_connect:before SSL initialization
SSL_connect:SSLv3/TLS write client hello
SSL_connect:error in SSLv3/TLS write client hello
write R BLOCK
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS read server hello
depth=2 C = US, ST = WA, L = Bellevue, O = Johnson & Johnson, CN = rca-jnj
verify return:1
depth=1 C = US, ST = WA, L = Bellevue, O = Johnson & Johnson, OU = client + OU =
jnj, CN = rca-jnj-admin
verify return:1
depth=0 C = US, ST = WA, L = Bellevue, O = Johnson & Johnson, OU = jnj + OU =
client, CN = jnj-ldap-server
verify error:num=7:certificate signature failure
verify return:1
depth=0 C = US, ST = WA, L = Bellevue, O = Johnson & Johnson, OU = jnj + OU =
client, CN = jnj-ldap-server
verify return:1
SSL_connect:SSLv3/TLS read server certificate
SSL_connect:SSLv3/TLS read server key exchange
SSL_connect:SSLv3/TLS read server done
SSL_connect:SSLv3/TLS write client key exchange
SSL_connect:SSLv3/TLS write change cipher spec
SSL_connect:SSLv3/TLS write finished
SSL_connect:error in SSLv3/TLS write finished
read R BLOCK
SSL_connect:SSLv3/TLS write finished
SSL_connect:SSLv3/TLS read change cipher spec
SSL_connect:SSLv3/TLS read finished
read R BLOCK
---
Certificate chain
 0 s:/C=US/ST=WA/L=Bellevue/O=Johnson &
Johnson/OU=jnj/OU=client/CN=jnj-ldap-server
   i:/C=US/ST=WA/L=Bellevue/O=Johnson &
Johnson/OU=jnj/OU=client/CN=rca-jnj-admin
-----BEGIN CERTIFICATE-----
MIIDBzCCAq2gAwIBAgIULFEF1JLNT6p0mzk7sbK8vQM/R+0wCgYIKoZIzj0EAwIw
fjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMREwDwYDVQQHEwhCZWxsZXZ1ZTEa
MBgGA1UECgwRSm9obnNvbiAmIEpvaG5zb24xGzAKBgNVBAsTA2puajANBgNVBAsT
BmNsaWVudDEWMBQGA1UEAxMNcmNhLWpuai1hZG1pbjAeFw0xOTA0MTcxNjQ5MDBa
Fw0yMDA0MTYxNjU0MDBaMIGAMQswCQYDVQQGEwJVUzELMAkGA1UECBMCV0ExETAP
BgNVBAcTCEJlbGxldnVlMRowGAYDVQQKDBFKb2huc29uICYgSm9obnNvbjEbMAoG
A1UECxMDam5qMA0GA1UECxMGY2xpZW50MRgwFgYDVQQDEw9qbmotbGRhcC1zZXJ2
ZXIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATQ+ACOVmhx0kUAMqLdl6i+s2//
3CgJi7YIYs4wwgMipNK7+s70Wwyva7lv6r2rOrpGOtlifCw4zSXB1E+DxKXho4IB
BDCCAQAwDgYDVR0PAQH/BAQDAgOoMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
BQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBT6olgSiuvK/c1P3/Gx+ljQL3yk
FzAfBgNVHSMEGDAWgBTbr7PEPX6ZIN6APotjhLkd6hPeqDAaBgNVHREEEzARgg9q
bmotbGRhcC1zZXJ2ZXIwZQYIKgMEBQYHCAEEWXsiYXR0cnMiOnsiaGYuQWZmaWxp
YXRpb24iOiJqbmoiLCJoZi5FbnJvbGxtZW50SUQiOiJqbmotbGRhcC1zZXJ2ZXIi
LCJoZi5UeXBlIjoiY2xpZW50In19MAoGCCqGSM49BAMCA0gAMEUCIQCN9saDTwXZ
4cefM27rUFT/1TqC3c7w8+NZNrJO3IYYFAIgHkGUYGABgiIEeQXyprd4AuLGhIZE
mkhMI0uVeKWj1Jc=
-----END CERTIFICATE-----
 1 s:/C=US/ST=WA/L=Bellevue/O=Johnson &
Johnson/OU=jnj/OU=client/CN=rca-jnj-admin
   i:/C=US/ST=WA/L=Bellevue/O=Johnson & Johnson/CN=rca-jnj
-----BEGIN CERTIFICATE-----
MIICQTCCAeegAwIBAgIUBU9O3Wb3BDS8YuWRLYaKClbA9ZcwCgYIKoZIzj0EAwIw
WzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMREwDwYDVQQHEwhCZWxsZXZ1ZTEa
MBgGA1UECgwRSm9obnNvbiAmIEpvaG5zb24xEDAOBgNVBAMTB3JjYS1qbmowHhcN
MTkwMjAxMjMxOTAwWhcNMjQwMTMxMjMyNDAwWjB+MQswCQYDVQQGEwJVUzELMAkG
A1UECBMCV0ExETAPBgNVBAcTCEJlbGxldnVlMRowGAYDVQQKDBFKb2huc29uICYg
Sm9obnNvbjEbMAoGA1UECxMDam5qMA0GA1UECxMGY2xpZW50MRYwFAYDVQQDEw1y
Y2Etam5qLWFkbWluMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEk4b8f5mWq+jf
iMKQBVI8uU7btAF/LSSdXoOXYPW8JyJ23v5wtwRiQ/g4Al/6aIchvAC4QhJRUnz0
DMKuI7GCp6NmMGQwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAw
HQYDVR0OBBYEFNuvs8Q9fpkg3oA+i2OEuR3qE96oMB8GA1UdIwQYMBaAFBGV3Han
Nf1T5i8fvDh239lt5W9DMAoGCCqGSM49BAMCA0gAMEUCIQD/4+AUOMBdofQEVsH2
2A6UGiJQvuplLEBA9in0cZTcCQIgcV5K+KCs3a5RNYUWdllakGx8c1f6ISrmk4an
gjeXphQ=
-----END CERTIFICATE-----
 2 s:/C=US/ST=WA/L=Bellevue/O=Johnson & Johnson/CN=rca-jnj
   i:/C=US/ST=WA/L=Bellevue/O=Johnson & Johnson/CN=rca-jnj
-----BEGIN CERTIFICATE-----
MIIB/TCCAaOgAwIBAgIUSsxdq02aJCyaIHkIRxRdKvWYG9swCgYIKoZIzj0EAwIw
WzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMREwDwYDVQQHEwhCZWxsZXZ1ZTEa
MBgGA1UECgwRSm9obnNvbiAmIEpvaG5zb24xEDAOBgNVBAMTB3JjYS1qbmowHhcN
MTkwMjAxMjExNDAwWhcNMzQwMTI4MjExNDAwWjBbMQswCQYDVQQGEwJVUzELMAkG
A1UECBMCV0ExETAPBgNVBAcTCEJlbGxldnVlMRowGAYDVQQKDBFKb2huc29uICYg
Sm9obnNvbjEQMA4GA1UEAxMHcmNhLWpuajBZMBMGByqGSM49AgEGCCqGSM49AwEH
A0IABCF30Cn+O5sD/9n6d3IQQEGiceCTD7gG/5t4dHR4xmvm84HNgRngGKGF4fny
6BXkPSyDguP+L5zozdWDb8dWTQejRTBDMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMB
Af8ECDAGAQH/AgEBMB0GA1UdDgQWBBQRldx2pzX9U+YvH7w4dt/ZbeVvQzAKBggq
hkjOPQQDAgNIADBFAiEAkCQcOP+PmyVIMgr/cUsk04qH8lXYO4DqDuH1WSNvGfEC
IBZQGRehpZ604FgkD0YqmiGRV/OzU99em0g3jkmWJbJY
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=WA/L=Bellevue/O=Johnson &
Johnson/OU=jnj/OU=client/CN=jnj-ldap-server
issuer=/C=US/ST=WA/L=Bellevue/O=Johnson &
Johnson/OU=jnj/OU=client/CN=rca-jnj-admin
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2202 bytes and written 302 bytes
Verification error: certificate signature failure
---
New, TLSv1.2, Cipher is ECDHE-ECDSA-AES256-GCM-SHA384
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-ECDSA-AES256-GCM-SHA384
    Session-ID: CAA7D5C4B5733C027877F5BC255EEA192B70E5D6125BC359B19CDDD3708BF857
    Session-ID-ctx: 
    Master-Key: 94727E3BE5361CCC34D02DDD797F62C7875A96283A1EB12FBD584749E36E804DE7BD402C81CDFC0F9F3DF0487BE38399
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1555951187
    Timeout   : 7200 (sec)
    Verify return code: 7 (certificate signature failure)
    Extended master secret: yes
---
there is a certificate signature failure since the certificate returned to the
client is different from the certificate provided to the server.