[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5667) Problem in the startTLS Command processing

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#5667) Problem in the startTLS Command processing
From: Kurt@OpenLDAP.org
Date: Fri, 22 Aug 2008 22:19:01 GMT

On Aug 22, 2008, at 2:53 PM, john.w.clark@hp.com wrote:

> Full_Name:
> Version: 2.3.36 and earlier and I assume also later
> OS: Red Hat Enterprise Linux 4.5
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (15.203.233.75)
>
>
> This problem was previously described one the openLDAP websiste at:
>
> http://www.openldap.org/lists/openldap-bugs/200405/msg00096.html
>
> The described fix is not included in release 2.3.36 and I assume  
> that it has not
> been included in later releases either.
>
> The probem is with the response to the 'startTLS' command in the  
> 'slapd' server.
>
>
> Here is an excerpt from the write up at the above URL:
>
> **************************************************************
> Having fixed described above we came across another issues which  
> concerns
> TLS extended operation response.
>
> As RFC2830 states:

RFC 2830 has been replaced by RFC 4510, 4511, and RFC 4513.

> ...
>   A Start TLS extended response MUST contain a responseName field  
> which
>   MUST be set to the same string as that in the responseName field
>   present in the Start TLS extended request.
> ...

This MUST was purposely removed from the revised LDAP specifications  
by the IETF.

> Unfortunately OpenLDAP server doesn't return the 'responseName'  
> field. This
> defect may prevent other LDAP APIs from understanding the response of
> OpenLDAP servers.

Clients are suppose to message-ids to match up responses with requests.

> For instance, Microsoft LDAP API doesn't accept the
> response without this field.

Sounds like a bug in Microsoft LDAP, especially given the current  
Start TLS specification.  I suggest you report this to them.

> We suggest to add the responseName field to the
> response. This is also a trivial one:
>
> rs->sr_rspoid = SLAP_STRDUP(LDAP_EXOP_START_TLS);
>
> before 'rc = LDAP_SUCCESS;' in starttls_extop() function (starttls.c).

See my comments in my response to ITS#3037 as to why I think such  
should not be done.

>
>
> 3. Patch
>
> Unfortunately didn't manage to get access to the /incoming FTP folder
> despite the fact I used my email as password. So here is a patch for  
> both
> problems:
>
> =============
> --- orig/starttls.c	2004-01-01 21:15:32.000000000 +0200
> +++ fixed/starttls.c	2004-05-27 14:14:54.000000000 +0300
> @@ -94,6 +94,8 @@
>     op->o_conn->c_is_tls = 1;
>     op->o_conn->c_needs_tls_accept = 1;
>
> +    rs->sr_rspoid = SLAP_STRDUP(LDAP_EXOP_START_TLS);
> +
>     rc = LDAP_SUCCESS;
>
> done:
> =============
>
> Looking forward for your comments...
>
> Sincerely yours,
>
> Kirill Kovalenko
> Softerra LLC
> ************************************************************
>
>
> Thanks and Regards,
> John Clark
>
> john.w.clark@hp.com
> Sr. Software Engineer
> Hewlett-Packard
> Atalla Security Products
>
>

Prev by Date: (ITS#5667) Problem in the startTLS Command processing
Next by Date: Re: (ITS#5665) slapd crashing with slapo-pcache when using attrset "*"
Index(es):
- Chronological
- Thread