Re: problem with syncrepl and STARTTLS

To: Michael Ströder <michael@stroeder.com>

Subject: Re: problem with syncrepl and STARTTLS

From: r0m5 <r0m5@r0m5.eu>

Date: Wed, 09 Aug 2017 15:07:14 +0200

In-reply-to: <f2402a69-d9f4-d0f2-0cec-16738370284d@stroeder.com>

References: <53769c53fc5149828588888c1e01fef7@de-rasse.fr> <WM!e0914311a8ee5b638d4fa3111b07fd1e5eda86092bafb4125eb9e9755ac34113ac92a6c67897631469170aef9b654d19!@mailstronghold-3.zmailcloud.com> <9E0EEC12AA9367D3132A710A@[192.168.1.19]> <59becf0c3113ec79983bd082ae8ae178@de-rasse.fr> <6ac78a9a2d6216fd345510b875a5c77d@r0m5.eu> <f2402a69-d9f4-d0f2-0cec-16738370284d@stroeder.com>

Le 2017-08-09 14:13, Michael Ströder a écrit :

r0m5 wrote:
So I set up a PKI and now it looks OK regarding syncrepl. So I guess my problem might
be related to ITS#8427, which I didn't see before posting here.

I still have issues though, with applications randomly failing STARTTLS to my consumers

Many problems like this are caused by not getting the PKI to issue correct public-key
certs. Especially you should put all DNS names a LDAP client might use to connect to your
LDAP server in subjectAltName extension.

E.g. ITS#8427 says:
"Provide the servers with TLS certificates that are correct but do not include
an address used in syncrepl provider setting."
What the heck does that mean?!?

Ciao, Michael.

I guess the guy uses in order to reproduce a provider certificate which is signed by a CA his consumer trusts, but the consumer connects to the provider using a DNS name different from the certificate CN and not included in subjectAltName.

The certificate I used when I had the problem was self signed but my consumer was connecting to a correct DNS name (the CN of the certificate).

In both cases the certificate is not "valid", but apparently for different reasons.

Regarding my applications randomly failing STARTTLS to my consumers, it's not related to the use of a DNS name different from the certificate CN and not included in subjectAltName. Considering an application using always the same DNS name to connect to the consumer and connecting to the same consumer which presents always the same certificate (self-signed) : most of the time this application succeeds STARTTLS, but sometimes fails. Log on the consumer :

conn=3232 fd=20 ACCEPT from IP=192.168.74.222:50187 (IP=0.0.0.0:389)
conn=3232 op=0 EXT oid=1.3.6.1.4.1.1466.20037
conn=3232 op=0 STARTTLS
conn=3232 op=0 RESULT oid= err=0 text=
conn=3232 fd=20 TLS established tls_ssf=128 ssf=128
conn=3232 fd=20 closed (connection lost)

I will dig more into it. So far it appears than only PHP applications fail this way, it seems like there are no probrems with STARTTLS from freeradius or Apache Basic AuthType with AuthBasicProvider ldap.

Follow-Ups:

Re: problem with syncrepl and STARTTLS
- From: Michael Ströder <michael@stroeder.com>