[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Syncrepl SSL fail

To: Hugo Deprez <hugo.deprez@gmail.com>
Subject: Re: Syncrepl SSL fail
From: Philip Guenther <guenther+ldaptech@sendmail.com>
Date: Mon, 17 Oct 2011 21:28:21 -0700
Cc: Howard Chu <hyc@symas.com>, Josh Miller <joshua@itsecureadmin.com>, Quanah Gibson-Mount <quanah@zimbra.com>, openldap-technical@openldap.org
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sendmail.com; s=spork.dkim; t=1318912128; bh=1zfa/KW4BUqM7VduHNHv8aR8IzPMvJhCAGUG1pigBRU=; h=Date:From:To:cc:Subject:In-Reply-To:Message-ID:References: MIME-Version:Content-Type; b=O2iD0i3cUVuc2OdBEbIyB7kyrxFgTqPrWpPqmo1adD0P7iBaiyWC5eUHeDIQxQt02 fzUdt6Kr4Z8De4V9lYZvbgCzUCXu9KvCMRDyExX86PGp+QlOb9NrbZhB2+Dl6rUZfh lMxHetBmkhjEwSL62eOt7T4r3xeUHnUOmOYWU1xU=
In-reply-to: <CAAoQnKhcez2EsV0LXiAOu07jDAd2TKmzmDanvz90qgo3QEuT1w@mail.gmail.com>
References: <CAAoQnKjisqdHa0Pa8u5fjsUeNvJwY_fi6uJvs_T5U30ao+TG2w@mail.gmail.com> <53616BF91B701EAFA5521B0F@192.168.1.23> <2F29DB7B-BFFD-4004-951B-09EA3BF8429E@itsecureadmin.com> <F6F3F9073A6EC8597D1F5992@quanah-mac.local> <4E9A8CEC.7020403@symas.com> <CAAoQnKhcez2EsV0LXiAOu07jDAd2TKmzmDanvz90qgo3QEuT1w@mail.gmail.com>
User-agent: Alpine 2.00 (BSO 1167 2008-08-23)

On Sun, 16 Oct 2011, Hugo Deprez wrote:
> It seems that the proper configuration for my case is :
> 
> syncrepl       rid=003
>                provider=ldaps://ldap.mydomain.fr:1024/
>                type=refreshOnly
>                retry="60 10 600 +"
>                interval=00:00:00:10
>                searchbase="dc=mydomain,dc=fr"
>                scope=sub
>                schemachecking=on
>                bindmethod=simple
>                tls_reqcert=never
>                binddn="cn=syncrepluser,o=others,dc=mydomain,dc=fr"
>                credentials=my_password
> 
> It works, but I am confuse with those parameters. If I understand
> well, I will never use TLS here, but only ssl ?
> Hence, it was a TLS issue ?

No, you're using TLS.  You're just not using the StartTLS operation.

There are two ways to use SSL/TLS: "negotiate-on-connect" and "upgrade 
from clear".  The former is what you get when you use an ldaps:// URL, 
where the first data the client sends is the raw SSL/TLS ClientHello 
packet.  The latter is what you get when you use an ldap:// URL and have 
starttls=yes or starttls=critical, where the first data the client sends 
is LDAP protocol data in the clear, including a StartTLS request.  If the 
server sends a success response to that StartTLS request, then the client 
starts the SSL/TLS handshake with its ClientHello packet.

This should answer why it failed when you tried to combine an ldaps:// URL 
with starttls=yes: the exchange was already using SSL/TLS and (rightly) 
libldap won't let you negotiate multiple levels of SSL/TLS encryption.

(You may note that I write "SSL/TLS".  That's because they're just 
different versions of the same protocol.  Using 'SSL' as a shorthand for 
"negotiate on connect" and 'TLS' for "upgrade from clear" is poor naming, 
as the choice of method is orthogonal to the protocol version.  Your 
ldaps:// connection is probably negotiating the TLS 1.0 protocol (aka SSL 
version 3.1), just as an ldap:// connection using StartTLS may, on a 
poorly configured server, negotiate SSL 3.0)

Next: the fact that you need tls_reqcert=never for TLS negotiation to 
succeed strongly suggests the problem is either
a) the subject and subjectAltName of the cert don't match the hostname in 
   the URL, OR 
b) the client doesn't have the self-signed CA cert at the root of the 
   signing chain for the server's cert. 

Those are both necessary to protect the server against Man-in-the-Middle 
attacks.

(It used to be that tls_reqcert=allow would disable check (b) and only 
perform check (a), or at least that was the case when using the OpenSSL 
crypto backend, but that behavior has apparently been removed from the 
version in git as of August.  Given the vagaries of the error reporting of 
the underlying crypto libraries, this was a useful tool in tracking down 
which check was causing TLS failures. Oh well.)

So, does the server's certificate subject or subjectAltName match the 
hostname from the URL the client is using?  Have you verified that the CA 
at the root of the server's cert's chain really is configured for the 
client?

Philip Guenther

Follow-Ups:
- Re: Syncrepl SSL fail
  - From: Michael Ströder <michael@stroeder.com>
- Re: Syncrepl SSL fail
  - From: Howard Chu <hyc@symas.com>

References:
- Syncrepl SSL fail
  - From: Hugo Deprez <hugo.deprez@gmail.com>
- Re: Syncrepl SSL fail
  - From: Josh Miller <joshua@itsecureadmin.com>
- Re: Syncrepl SSL fail
  - From: Quanah Gibson-Mount <quanah@zimbra.com>
- Re: Syncrepl SSL fail
  - From: Howard Chu <hyc@symas.com>
- Re: Syncrepl SSL fail
  - From: Hugo Deprez <hugo.deprez@gmail.com>

Prev by Date: Re: SCRAM-SHA-1
Next by Date: Re: Syncrepl SSL fail
Index(es):
- Chronological
- Thread