On Aug 22, 2008, at 2:53 PM, john.w.clark@hp.com wrote:
Full_Name: Version: 2.3.36 and earlier and I assume also later OS: Red Hat Enterprise Linux 4.5 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (15.203.233.75)
This problem was previously described one the openLDAP websiste at:
http://www.openldap.org/lists/openldap-bugs/200405/msg00096.html
The described fix is not included in release 2.3.36 and I assume that it has not been included in later releases either.
The probem is with the response to the 'startTLS' command in the 'slapd' server.
Here is an excerpt from the write up at the above URL:
Having fixed described above we came across another issues which concerns TLS extended operation response.
As RFC2830 states:
RFC 2830 has been replaced by RFC 4510, 4511, and RFC 4513.
... A Start TLS extended response MUST contain a responseName field which MUST be set to the same string as that in the responseName field present in the Start TLS extended request. ...
This MUST was purposely removed from the revised LDAP specifications by the IETF.
Unfortunately OpenLDAP server doesn't return the 'responseName' field. This defect may prevent other LDAP APIs from understanding the response of OpenLDAP servers.
Clients are suppose to message-ids to match up responses with requests.
For instance, Microsoft LDAP API doesn't accept the response without this field.
Sounds like a bug in Microsoft LDAP, especially given the current Start TLS specification. I suggest you report this to them.
We suggest to add the responseName field to the response. This is also a trivial one:
rs->sr_rspoid = SLAP_STRDUP(LDAP_EXOP_START_TLS);
before 'rc = LDAP_SUCCESS;' in starttls_extop() function (starttls.c).
See my comments in my response to ITS#3037 as to why I think such should not be done.
- Patch
Unfortunately didn't manage to get access to the /incoming FTP folder despite the fact I used my email as password. So here is a patch for both problems:
============= --- orig/starttls.c 2004-01-01 21:15:32.000000000 +0200 +++ fixed/starttls.c 2004-05-27 14:14:54.000000000 +0300 @@ -94,6 +94,8 @@ op->o_conn->c_is_tls = 1; op->o_conn->c_needs_tls_accept = 1;
- rs->sr_rspoid = SLAP_STRDUP(LDAP_EXOP_START_TLS);
- rc = LDAP_SUCCESS;
done:
Looking forward for your comments...
Sincerely yours,
Kirill Kovalenko Softerra LLC
Thanks and Regards, John Clark
john.w.clark@hp.com Sr. Software Engineer Hewlett-Packard Atalla Security Products
-
Kurt@OpenLDAP.org