[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ldapsearch does not match simple hostnames against fqdns in certificates (ITS#3158)
Full_Name: Arne Brutschy
Version: 2.2.11
OS: Linux 2.6.4
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (139.18.1.5)
ldapsearch (and perhaps other ldap tools as well) has problems while verifying
the servers tls certificates when connecting with a single hostname and the
certificates cn is a fqdn.
Example:
ldapsearch -x -W -D "cn=manager,dc=example,dc=com" -H ldaps://ldap:636
fails, but
ldapsearch -x -W -D "cn=manager,dc=example,dc=com" -H
ldaps://ldap.example.com:636
succeeds when the CN in the certificate is "ldap.example.com". This is wrong.
Openssls reference test client validates the certificate in the right way, you
can test with:
openssl s_client -connect ldap:636 -CApath /etc/ssl/certs
Here is the full (stripped) debug output:
ldap:/etc/openldap/tls # ldapsearch -x -W -D "cn=manager,dc=uni-leipzig,dc=de"
-H ldaps://ldap:636 -v -d 255
ldap_initialize( ldaps://ldap:636 )
ldap_create
ldap_url_parse_ext(ldaps://ldap:636)
Enter LDAP Password:
ldap_bind_s
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: TCP ldap:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying x.x.x.x:636
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_ndelay_on: 3
ldap_is_sock_ready: 3
ldap_ndelay_off: 3
TLS trace: SSL_connect:before/connect initialization
tls_write: want=142, written=142
[--snip--]
TLS trace: SSL_connect:SSLv2/v3 write client hello A
tls_read: want=7, got=7
[--snip--]
tls_read: want=72, got=72
[--snip--]
TLS trace: SSL_connect:SSLv3 read server hello A
tls_read: want=5, got=5
[--snip--]
tls_read: want=3518, got=3518
[--snip--]
TLS certificate verification: depth: 2, err: 0, subject: /C=DE/O=Deutsches
Forschungsnetz/OU=DFN-CERT GmbH/OU=DFN-PCA/CN=DFN Toplevel Certification
Authority/emailAddress=certify@pca.dfn.de, issuer: /C=DE/O=Deutsches
Forschungsnetz/OU=DFN-CERT GmbH/OU=DFN-PCA/CN=DFN Toplevel Certification
Authority/emailAddress=certify@pca.dfn.de
TLS certificate verification: depth: 1, err: 0, subject: /C=DE/O=Universitaet
Leipzig/OU=URZ/CN=Zertifizierungsstelle 2004/emailAddress=ca@uni-leipzig.de,
issuer: /C=DE/O=Deutsches Forschungsnetz/OU=DFN-CERT GmbH/OU=DFN-PCA/CN=DFN
Toplevel Certification Authority/emailAddress=certify@pca.dfn.de
TLS certificate verification: depth: 0, err: 0, subject: /C=DE/O=Universitaet
Leipzig/OU=URZ/CN=ldap.example.com, issuer: /C=DE/O=Universitaet
Leipzig/OU=URZ/CN=Zertifizierungsstelle 2004/emailAddress=ca@uni-leipzig.de
TLS trace: SSL_connect:SSLv3 read server certificate A
tls_read: want=5, got=5
[--snip--]
tls_read: want=4, got=4
[--snip--]
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
tls_write: want=326, written=326
[--snip--]
TLS trace: SSL_connect:SSLv3 flush data
tls_read: want=5, got=5
[--snip--]
tls_read: want=1, got=1
[--snip--]
tls_read: want=5, got=5
[--snip--]
tls_read: want=48, got=48
[--snip--]
TLS trace: SSL_connect:SSLv3 read finished A
TLS: hostname (ldap) does not match common name in certificate
(ldap.example.com).
ldap_perror
ldap_bind: Can't contact LDAP server (-1)
additional info: TLS: hostname does not match CN in peer certificate