Re: (ITS#9014) OpenLDAP modifies user provided TLS certificate before sending it to client - openldap-bugs

24 Apr 2019


      --_000_MWHPR08MB2400D7AE5E8EEC3D17192FACB53C0MWHPR08MB2400namp_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Thank you. we tried using another openldap image and that worked. so it see=
ms the problem is with the osixia docker image we were using to run openlda=
p. it is based on debian (which uses GnuTLS per your email) so tbh we are s=
urprised it would have such a bug in it. the image that worked for us is ba=
sed on alpine.
https://github.com/osixia/docker-light-baseimage/blob/stable/image/Dockerfi=
le
https://github.com/tiredofit/docker-openldap/blob/master/Dockerfile
but back to your comment, how can one isolate what TLS/SSL library OpenLDAP=
 is linked to in the environment you're using?
[https://avatars0.githubusercontent.com/u/23528985?s=3D400&v=3D4]https://g=
ithub.com/tiredofit/docker-openldap/blob/master/Dockerfile
docker-openldap/Dockerfile at master =B7 tiredofit/docker-openldap =B7 GitH=
ubhttps://github.com/tiredofit/docker-openldap/blob/master/Dockerfile
Docker OpenLDAP Container w/TLS & Replication Support S6 Overlay, and Zabbi=
x Monitoring based on Alpine - tiredofit/docker-openldap
github.com
[https://avatars0.githubusercontent.com/u/23528985?s=3D400&v=3D4]https://g=
ithub.com/tiredofit/docker-openldap/blob/master/Dockerfile
docker-openldap/Dockerfile at master =B7 tiredofit/docker-openldap =B7 GitH=
ubhttps://github.com/tiredofit/docker-openldap/blob/master/Dockerfile
Docker OpenLDAP Container w/TLS & Replication Support S6 Overlay, and Zabbi=
x Monitoring based on Alpine - tiredofit/docker-openldap
github.com
________________________________
From: Quanah Gibson-Mount quanah@symas.com
Sent: Wednesday, April 24, 2019 1:06 PM
To: siddjain@live.com; openldap-its@OpenLDAP.org
Subject: Re: (ITS#9014) OpenLDAP modifies user provided TLS certificate bef=
ore sending it to client
--On Wednesday, April 24, 2019 6:43 PM +0000 hyc@symas.com wrote:
...
siddjain@live.com wrote:
...
--_000_MWHPR08MB24000D77048AFCF7465C4397B53C0MWHPR08MB2400namp_
Content-Type: text/plain; charset=3D"iso-8859-1"
Content-Transfer-Encoding: quoted-printable
could you send me output of running
openssl version -a
on your system? thanks
...
openssl version -a
OpenSSL 1.1.1  11 Sep 2018
built on: Tue Dec  4 13:15:09 2018 UTC
platform: debian-amd64
I would also note that not all OpenLDAP builds use OpenSSL.  For example,
OpenLDAP built on Debian/Ubuntu uses GnuTLS.  OpenLDAP built on some
versions of RedHat 7 use MozNSS.  Current RedHat 7 builds use OpenSSL but
have an odd MozNSS bridge for backwards compatibilty, and there may be all
sorts of odd bugs in that.  Apple links OpenLDAP to its own custom SSL
libary.
So really your first step should be isolating what TLS/SSL library OpenLDAP
is linked to in the environment you're using.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
https://eur01.safelinks.protection.outlook.com/?url=3Dhttp%3A%2F%2Fwww.sym=
as.com&data=3D02%7C01%7C%7C349b90be6afe4991a54b08d6c8f068b4%7C84df9e7fe=
9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636917332202918260&sdata=3DNifWEVt269=
tCTuar98XYUfNkaHWSFMffI3M4%2FJ7j8zI%3D&reserved=3D0
--_000_MWHPR08MB2400D7AE5E8EEC3D17192FACB53C0MWHPR08MB2400namp_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Diso-8859-=
1">
<style type=3D"text/css" style=3D"display:none;"> P {margin-top:0;margin-bo=
ttom:0;} </style>
</head>
<body dir=3D"ltr">
<div style=3D"font-family: Calibri, Helvetica, sans-serif; font-size: 12pt;=
 color: rgb(0, 0, 0);">
Thank you. we tried using another openldap image and that worked. so it see=
ms the problem is with the osixia docker image we were using to run openlda=
p. it is based on debian (which&nbsp;<span style=3D"color: rgb(51, 51, 51);=
 font-family: &quot;Segoe UI&quot;, &quot;Segoe UI Web (West European)&quot=
;, &quot;Segoe UI&quot;, -apple-system, system-ui, Roboto, &quot;Helvetica =
Neue&quot;, sans-serif; font-size: 14.6667px; background-color: rgb(255, 25=
5, 255); display: inline !important">uses
 GnuTLS per your email</span>) so tbh we are surprised it would have such a=
 bug in it. the image that worked for us is based on alpine.&nbsp;</div>
<div style=3D"font-family: Calibri, Helvetica, sans-serif; font-size: 12pt;=
 color: rgb(0, 0, 0);">
<a href=3D"https://github.com/osixia/docker-light-baseimage/blob/stable/ima=
ge/Dockerfile">https://github.com/osixia/docker-light-baseimage/blob/stable=
/image/Dockerfile</a><br>
</div>
<div>
<div id=3D"appendonsend"></div>
<div style=3D"font-family:Calibri,Helvetica,sans-serif; font-size:12pt; col=
or:rgb(0,0,0)">
<a href=3D"https://github.com/tiredofit/docker-openldap/blob/master/Dockerf=
ile" id=3D"LPlnk147820">https://github.com/tiredofit/docker-openldap/blob/m=
aster/Dockerfile</a></div>
<div style=3D"font-family:Calibri,Helvetica,sans-serif; font-size:12pt; col=
or:rgb(0,0,0)">
but back to your comment, how can one&nbsp;<span style=3D"color: rgb(51, 51=
, 51); font-family: &quot;Segoe UI&quot;, &quot;Segoe UI Web (West European=
)&quot;, &quot;Segoe UI&quot;, -apple-system, system-ui, Roboto, &quot;Helv=
etica Neue&quot;, sans-serif; font-size: 14.6667px; background-color: rgb(2=
55, 255, 255); display: inline !important">isolate
 what TLS/SSL library OpenLDAP<span>&nbsp;</span></span><span style=3D"colo=
r: rgb(51, 51, 51); font-family: &quot;Segoe UI&quot;, &quot;Segoe UI Web (=
West European)&quot;, &quot;Segoe UI&quot;, -apple-system, system-ui, Robot=
o, &quot;Helvetica Neue&quot;, sans-serif; font-size: 14.6667px; background=
-color: rgb(255, 255, 255); display: inline !important">is
 linked to in the environment you're using?&nbsp;</span><br style=3D"color:=
 rgb(51, 51, 51); font-family: &quot;Segoe UI&quot;, &quot;Segoe UI Web (We=
st European)&quot;, &quot;Segoe UI&quot;, -apple-system, system-ui, Roboto,=
 &quot;Helvetica Neue&quot;, sans-serif; font-size: 14.6667px; background-c=
olor: rgb(255, 255, 255)">
<br>
<div id=3D"LPBorder_GTaHR0cHM6Ly9naXRodWIuY29tL3RpcmVkb2ZpdC9kb2NrZXItb3Blb=
mxkYXAvYmxvYi9tYXN0ZXIvRG9ja2VyZmlsZQ.." class=3D"LPBorder213343" contented=
itable=3D"false" style=3D"width: 100%; margin-top: 16px; margin-bottom: 16p=
x; position: relative; max-width: 800px; min-width: 424px;">
<table id=3D"LPContainer213343" role=3D"presentation" style=3D"padding: 12p=
x 36px 12px 12px; width: 100%; border-width: 1px; border-style: solid; bord=
er-color: rgb(200, 200, 200); border-radius: 2px;">
<tbody>
<tr valign=3D"top" style=3D"border-spacing: 0px;">
<td>
<div id=3D"LPImageContainer213343" style=3D"position: relative; margin-righ=
t: 12px; height: 160px; overflow: hidden;">
<a target=3D"_blank" id=3D"LPImageAnchor213343" href=3D"https://github.com/=
tiredofit/docker-openldap/blob/master/Dockerfile"><img id=3D"LPThumbnailIma=
geId213343" alt=3D"" height=3D"160" style=3D"display: block;" width=3D"160"=
 src=3D"https://avatars0.githubusercontent.com/u/23528985?s=3D400&v=3D4=
"></a></div>
</td>
<td style=3D"width: 100%;">
<div id=3D"LPTitle213343" style=3D"font-size: 21px; font-weight: 300; margi=
n-right: 8px; font-family: wf_segoe-ui_light, &quot;Segoe UI Light&quot;, &=
quot;Segoe WP Light&quot;, &quot;Segoe UI&quot;, &quot;Segoe WP&quot;, Taho=
ma, Arial, sans-serif; margin-bottom: 12px;">
<a target=3D"_blank" id=3D"LPUrlAnchor213343" href=3D"https://github.com/ti=
redofit/docker-openldap/blob/master/Dockerfile" style=3D"text-decoration: n=
one; color: var(--themePrimary);">docker-openldap/Dockerfile at master =B7 =
tiredofit/docker-openldap =B7 GitHub</a></div>
<div id=3D"LPDescription213343" style=3D"font-size: 14px; max-height: 100px=
; color: rgb(102, 102, 102); font-family: wf_segoe-ui_normal, &quot;Segoe U=
I&quot;, &quot;Segoe WP&quot;, Tahoma, Arial, sans-serif; margin-bottom: 12=
px; margin-right: 8px; overflow: hidden;">
Docker OpenLDAP Container w/TLS &amp; Replication Support S6 Overlay, and Z=
abbix Monitoring based on Alpine - tiredofit/docker-openldap</div>
<div id=3D"LPMetadata213343" style=3D"font-size: 14px; font-weight: 400; co=
lor: rgb(166, 166, 166); font-family: wf_segoe-ui_normal, &quot;Segoe UI&qu=
ot;, &quot;Segoe WP&quot;, Tahoma, Arial, sans-serif;">
github.com</div>
</td>
</tr>
</tbody>
</table>
</div>
<br>
<div id=3D"LPBorder_GTaHR0cHM6Ly9naXRodWIuY29tL3RpcmVkb2ZpdC9kb2NrZXItb3Blb=
mxkYXAvYmxvYi9tYXN0ZXIvRG9ja2VyZmlsZQ.." class=3D"LPBorder356508" contented=
itable=3D"false" style=3D"width: 100%; margin-top: 16px; margin-bottom: 16p=
x; position: relative; max-width: 800px; min-width: 424px;">
<table id=3D"LPContainer356508" role=3D"presentation" style=3D"padding: 12p=
x 36px 12px 12px; width: 100%; border-width: 1px; border-style: solid; bord=
er-color: rgb(200, 200, 200); border-radius: 2px;">
<tbody>
<tr valign=3D"top" style=3D"border-spacing: 0px;">
<td>
<div id=3D"LPImageContainer356508" style=3D"position: relative; margin-righ=
t: 12px; height: 160px; overflow: hidden;">
<a target=3D"_blank" id=3D"LPImageAnchor356508" href=3D"https://github.com/=
tiredofit/docker-openldap/blob/master/Dockerfile"><img id=3D"LPThumbnailIma=
geId356508" alt=3D"" height=3D"160" style=3D"display: block;" width=3D"160"=
 src=3D"https://avatars0.githubusercontent.com/u/23528985?s=3D400&v=3D4=
"></a></div>
</td>
<td style=3D"width: 100%;">
<div id=3D"LPTitle356508" style=3D"font-size: 21px; font-weight: 300; margi=
n-right: 8px; font-family: wf_segoe-ui_light, &quot;Segoe UI Light&quot;, &=
quot;Segoe WP Light&quot;, &quot;Segoe UI&quot;, &quot;Segoe WP&quot;, Taho=
ma, Arial, sans-serif; margin-bottom: 12px;">
<a target=3D"_blank" id=3D"LPUrlAnchor356508" href=3D"https://github.com/ti=
redofit/docker-openldap/blob/master/Dockerfile" style=3D"text-decoration: n=
one; color: var(--themePrimary);">docker-openldap/Dockerfile at master =B7 =
tiredofit/docker-openldap =B7 GitHub</a></div>
<div id=3D"LPDescription356508" style=3D"font-size: 14px; max-height: 100px=
; color: rgb(102, 102, 102); font-family: wf_segoe-ui_normal, &quot;Segoe U=
I&quot;, &quot;Segoe WP&quot;, Tahoma, Arial, sans-serif; margin-bottom: 12=
px; margin-right: 8px; overflow: hidden;">
Docker OpenLDAP Container w/TLS &amp; Replication Support S6 Overlay, and Z=
abbix Monitoring based on Alpine - tiredofit/docker-openldap</div>
<div id=3D"LPMetadata356508" style=3D"font-size: 14px; font-weight: 400; co=
lor: rgb(166, 166, 166); font-family: wf_segoe-ui_normal, &quot;Segoe UI&qu=
ot;, &quot;Segoe WP&quot;, Tahoma, Arial, sans-serif;">
github.com</div>
</td>
</tr>
</tbody>
</table>
</div>
<br>
</div>
<hr tabindex=3D"-1" style=3D"display:inline-block; width:98%">
<div id=3D"divRplyFwdMsg" dir=3D"ltr"><font face=3D"Calibri, sans-serif" co=
lor=3D"#000000" style=3D"font-size:11pt"><b>From:</b> Quanah Gibson-Mount &=
lt;quanah@symas.com&gt;<br>
<b>Sent:</b> Wednesday, April 24, 2019 1:06 PM<br>
<b>To:</b> siddjain@live.com; openldap-its@OpenLDAP.org<br>
<b>Subject:</b> Re: (ITS#9014) OpenLDAP modifies user provided TLS certific=
ate before sending it to client</font>
<div>&nbsp;</div>
</div>
<div class=3D"BodyFragment"><font size=3D"2"><span style=3D"font-size:11pt"=
...
<div class=3D"PlainText">--On Wednesday, April 24, 2019 6:43 PM &#43;0000 h=
yc@symas.com wrote:<br>
<br>
&gt; siddjain@live.com wrote:<br>
&gt;&gt; --_000_MWHPR08MB24000D77048AFCF7465C4397B53C0MWHPR08MB2400namp_<br=
...
&gt;&gt; Content-Type: text/plain; charset=3D&quot;iso-8859-1&quot;<br>
&gt;&gt; Content-Transfer-Encoding: quoted-printable<br>
&gt;&gt;<br>
&gt;&gt; could you send me output of running<br>
&gt;&gt;<br>
&gt;&gt; openssl version -a<br>
&gt;&gt;<br>
&gt;&gt; on your system? thanks<br>
&gt;<br>
&gt;&gt; openssl version -a<br>
&gt; OpenSSL 1.1.1&nbsp; 11 Sep 2018<br>
&gt; built on: Tue Dec&nbsp; 4 13:15:09 2018 UTC<br>
&gt; platform: debian-amd64<br>
<br>
I would also note that not all OpenLDAP builds use OpenSSL.&nbsp; For examp=
le, <br>
OpenLDAP built on Debian/Ubuntu uses GnuTLS.&nbsp; OpenLDAP built on some <=
br>
versions of RedHat 7 use MozNSS.&nbsp; Current RedHat 7 builds use OpenSSL =
but <br>
have an odd MozNSS bridge for backwards compatibilty, and there may be all =
<br>
sorts of odd bugs in that.&nbsp; Apple links OpenLDAP to its own custom SSL=
 <br>
libary.<br>
<br>
So really your first step should be isolating what TLS/SSL library OpenLDAP=
 <br>
is linked to in the environment you're using.<br>
<br>
--Quanah<br>
<br>
<br>
<br>
--<br>
<br>
Quanah Gibson-Mount<br>
Product Architect<br>
Symas Corporation<br>
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:<br>
&lt;<a href=3D"https://eur01.safelinks.protection.outlook.com/?url=3Dhttp%3=
A%2F%2Fwww.symas.com&amp;amp;data=3D02%7C01%7C%7C349b90be6afe4991a54b08d6c8=
f068b4%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636917332202918260&amp;=
amp;sdata=3DNifWEVt269tCTuar98XYUfNkaHWSFMffI3M4%2FJ7j8zI%3D&amp;amp;reserv=
ed=3D0">https://eur01.safelinks.protection.outlook.com/?url=3Dhttp%3A%2F%2F=
www.symas.com&amp;amp;data=3D02%7C01%7C%7C349b90be6afe4991a54b08d6c8f068b4%=
7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636917332202918260&amp;amp;sda=
ta=3DNifWEVt269tCTuar98XYUfNkaHWSFMffI3M4%2FJ7j8zI%3D&amp;amp;reserved=3D0<=
/a>&gt;<br>
<br>
</div>
</span></font></div>
</div>
</body>
</html>
--_000_MWHPR08MB2400D7AE5E8EEC3D17192FACB53C0MWHPR08MB2400namp_--