Debian Bug report logs - #412706
slapd: Connecting with Client certificates fails when _not_ run with -d2

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: "Tim Dijkstra \(tdykstra\)" <tim@famdijkstra.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: slapd: Connecting with Client certificates fails when _not_ run with -d2
Date: Tue, 27 Feb 2007 16:18:11 +0100

Package: slapd
Version: 2.3.30-4
Severity: important

I'm trying to get my clients to authenticate with Certificates. When
I set 'TLSVerifyClient try' the connection 'hangs' during the setup
phase ot the secure connection.
The funny thing is that when running slapd from a terminal with -d-1
makes it all work brilliantly. I first thought this was related with
the fact that it will not detach and run as root, but then I found 
out that the behaviour was dependent on the debug level. Only
if I include '2 -- debug packet handling' in the loglevel I can
succesfully authenticate with Certificates.

Because the debug output is so different when adding '2', it is hard to
compare logfiles. I grepped for 'TLS' to clean it up a bit. It seems
already early in the negotiation something goes wrong.

Loglevel 1 (fail):
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:error in SSLv3 write certificate request B
TLS trace: SSL_accept:error in SSLv3 write certificate request B

Loglevel 3 (succes):
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write certificate request A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS certificate verification: depth: 1, err: 0, subject: <CN of certificate issuer>
TLS certificate verification: depth: 0, err: 0, subject: <CN of certificate holder>
TLS trace: SSL_accept:SSLv3 read client certificate A
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read certificate verify A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL3 alert read:warning:close notify
TLS trace: SSL3 alert write:warning:close notify




-- System Information:
Debian Release: 4.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/dash
Kernel: Linux 2.6.13.1
Locale: LANG=nl_NL, LC_CTYPE=nl_NL (charmap=UTF-8) (ignored: LC_ALL set to nl_NL.utf8)

Versions of packages slapd depends on:
ii  adduser                   3.102          Add and remove users and groups
ii  coreutils                 5.97-5         The GNU core utilities
ii  debconf [debconf-2.0]     1.5.11         Debian configuration management sy
ii  libc6                     2.3.6.ds1-11   GNU C Library: Shared libraries
ii  libdb4.2                  4.2.52+dfsg-1  Berkeley v4.2 Database Libraries [
ii  libiodbc2                 3.52.4-3       iODBC Driver Manager
ii  libldap-2.3-0             2.3.30-4       OpenLDAP libraries
ii  libltdl3                  1.5.22-4       A system independent dlopen wrappe
ii  libperl5.8                5.8.8-7        Shared Perl library
ii  libsasl2-2                2.1.22.dfsg1-8 Authentication abstraction library
ii  libslp1                   1.2.1-6        OpenSLP libraries
ii  libssl0.9.8               0.9.8c-4       SSL shared libraries
ii  libwrap0                  7.6.dbs-12     Wietse Venema's TCP wrappers libra
ii  perl [libmime-base64-perl 5.8.8-7        Larry Wall's Practical Extraction 
ii  psmisc                    22.3-1         Utilities that use the proc filesy

Versions of packages slapd recommends:
pn  libsasl2-modules              <none>     (no description available)

Message #10 received at 412706@bugs.debian.org (full text, mbox):

From: Antonis Christofides <anthony@itia.ntua.gr>
To: 412706@bugs.debian.org
Subject: Re: slapd: Connecting with Client certificates fails when _not_ run with -d2
Date: 01 Mar 2007 19:47:40 +0200

I have the same problem, but the other way round; the server must
provide a certificate to the client.  I thus suspect that it's not a
server or client issue; it's probably an issue in code shared by the
server and the client, and it manifests in the one or in the other
depending on the case.  So I suggest to try -d 1 at the client also,
and see what it says.

There is some discussion, unfruitful so far, at
http://www.openldap.org/lists/openldap-software/200702/threads.html,
search for "sslv3 flush".  The thread continues in the next month,
http://www.openldap.org/lists/openldap-software/200703/threads.html.

Message #15 received at 412706@bugs.debian.org (full text, mbox):

From: Bas van Schaik <bas@tuxes.nl>
To: 412706@bugs.debian.org
Subject: Debian-only bug?
Date: Wed, 29 Aug 2007 18:40:53 +0200

Upstream marks this bug as "Debian only" with a reasonable explanation:
> Problems with SSL on Debian are well known, and it is due to the fact
> that they long ago patched OpenLDAP 2.1 to compile against GnuTLS
> (note, I don't say *work*, just compile).
>
> When you use their 2.2 and 2.3 packages, and their libraries get
> loaded into the same user space as the 2.1 libraries (which are always
> installed), then SSL/TLS stop working. There is *nothing* the OpenLDAP
> folks can do about this.
(http://www.openldap.org/lists/openldap-software/200702/msg00407.html)


The Debian readme file also talks about TLS:
> This version of the OpenLDAP server and its library is compiled with the
> OpenSSL library as supported by the upstream sources. Other packages
> are not allowed to link against this version of OpenLDAP (or rather
> its library) but this way we have a working OpenLDAP server.
>
> Client packages will have to continue using the old libldap2 package
> for ldap access as that version is linked against GNUTLS to allow
> for example dynamic linking into Samba. We are working on updating that
> GNUTLS patch for OpenLDAP 2.2 and getting it into the upstream package.
>
> When that is accomplished the old libldap2 packages will disappear
> and OpenLDAP 2.2 will be used together with GNUTLS in Debian.
Those explanation seem to conflict, don't they?

Until this bug is fixed it's impossible to use client certificates under
Debian, quite an important bug. Can someone provide an indication when
will be fixed?

Message #20 received at 412706@bugs.debian.org (full text, mbox):

From: Quanah Gibson-Mount <quanah@zimbra.com>
To: Bas van Schaik <bas@tuxes.nl>, 412706@bugs.debian.org
Subject: Re: [Pkg-openldap-devel] Bug#412706: Debian-only bug?
Date: Wed, 29 Aug 2007 10:05:53 -0700

--On Wednesday, August 29, 2007 6:40 PM +0200 Bas van Schaik <bas@tuxes.nl> 
wrote:


> Until this bug is fixed it's impossible to use client certificates under
> Debian, quite an important bug. Can someone provide an indication when
> will be fixed?

OpenLDAP 2.4 includes GnuTLS support, so it will be fixed once that is 
released.

--Quanah


--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration

Message #25 received at 412706@bugs.debian.org (full text, mbox):

From: Russ Allbery <rra@debian.org>
To: Bas van Schaik <bas@tuxes.nl>
Cc: 412706@bugs.debian.org
Subject: Re: [Pkg-openldap-devel] Bug#412706: Debian-only bug?
Date: Wed, 29 Aug 2007 11:05:00 -0700

Bas van Schaik <bas@tuxes.nl> writes:

> Upstream marks this bug as "Debian only" with a reasonable explanation:
>> Problems with SSL on Debian are well known, and it is due to the fact
>> that they long ago patched OpenLDAP 2.1 to compile against GnuTLS
>> (note, I don't say *work*, just compile).

It does work in some cases, but yes, it doesn't work well.

>> When you use their 2.2 and 2.3 packages, and their libraries get
>> loaded into the same user space as the 2.1 libraries (which are always
>> installed), then SSL/TLS stop working. There is *nothing* the OpenLDAP
>> folks can do about this.
> (http://www.openldap.org/lists/openldap-software/200702/msg00407.html)

> The Debian readme file also talks about TLS:
>> This version of the OpenLDAP server and its library is compiled with the
>> OpenSSL library as supported by the upstream sources. Other packages
>> are not allowed to link against this version of OpenLDAP (or rather
>> its library) but this way we have a working OpenLDAP server.
>>
>> Client packages will have to continue using the old libldap2 package
>> for ldap access as that version is linked against GNUTLS to allow
>> for example dynamic linking into Samba. We are working on updating that
>> GNUTLS patch for OpenLDAP 2.2 and getting it into the upstream package.

Which has now been done, although it took more time and resources than
expected.

>> When that is accomplished the old libldap2 packages will disappear
>> and OpenLDAP 2.2 will be used together with GNUTLS in Debian.
> Those explanation seem to conflict, don't they?

No... what are you seeing that conflicts?

slapd ships with current libraries built against OpenSSL, so if you can
avoid loading the LDAP client libraries in Debian into the same namespace,
the server TLS support will work.  The *client* TLS support in Debian has
various problems and instabilities, plus the client LDAP libraries are
ancient and suffer from all of the bugs fixed since.

> Until this bug is fixed it's impossible to use client certificates under
> Debian, quite an important bug. Can someone provide an indication when
> will be fixed?

When upstream releases OpenLDAP 2.4, which has real GnuTLS support.

Once upstream releases OpenLDAP 2.4.5, we should probably consider
packaging it for unstable and starting to test, although I expect a lot of
stuff to break.  2.4.5 will still only be a beta.  But a beta that unifies
the libraries at least has the potential to be more stable than the
current state, and hopefully we can then help accelerate the 2.4.x
development cycle with more testing so that lenny can release with a
stable 2.4 package.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Message #32 received at 412706-close@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: 412706-close@bugs.debian.org
Subject: Bug#412706: fixed in openldap2.3 2.4.7-2
Date: Mon, 21 Jan 2008 18:31:17 +0000

Source: openldap2.3
Source-Version: 2.4.7-2

We believe that the bug you reported is fixed in the latest version of
openldap2.3, which is due to be installed in the Debian FTP archive:

ldap-utils_2.4.7-2_amd64.deb
  to pool/main/o/openldap2.3/ldap-utils_2.4.7-2_amd64.deb
libldap-2.4-2-dbg_2.4.7-2_amd64.deb
  to pool/main/o/openldap2.3/libldap-2.4-2-dbg_2.4.7-2_amd64.deb
libldap-2.4-2_2.4.7-2_amd64.deb
  to pool/main/o/openldap2.3/libldap-2.4-2_2.4.7-2_amd64.deb
libldap2-dev_2.4.7-2_amd64.deb
  to pool/main/o/openldap2.3/libldap2-dev_2.4.7-2_amd64.deb
openldap2.3_2.4.7-2.diff.gz
  to pool/main/o/openldap2.3/openldap2.3_2.4.7-2.diff.gz
openldap2.3_2.4.7-2.dsc
  to pool/main/o/openldap2.3/openldap2.3_2.4.7-2.dsc
openldap2.3_2.4.7.orig.tar.gz
  to pool/main/o/openldap2.3/openldap2.3_2.4.7.orig.tar.gz
slapd-dbg_2.4.7-2_amd64.deb
  to pool/main/o/openldap2.3/slapd-dbg_2.4.7-2_amd64.deb
slapd_2.4.7-2_amd64.deb
  to pool/main/o/openldap2.3/slapd_2.4.7-2_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 412706@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steve Langasek <vorlon@debian.org> (supplier of updated openldap2.3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 21 Jan 2008 06:13:21 -0800
Source: openldap2.3
Binary: slapd libldap-2.4-2 ldap-utils libldap2-dev slapd-dbg libldap-2.4-2-dbg
Architecture: source amd64
Version: 2.4.7-2
Distribution: unstable
Urgency: low
Maintainer: Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>
Changed-By: Steve Langasek <vorlon@debian.org>
Description: 
 ldap-utils - OpenLDAP utilities
 libldap-2.4-2 - OpenLDAP libraries
 libldap-2.4-2-dbg - Debugging information for OpenLDAP libraries
 libldap2-dev - OpenLDAP development libraries
 slapd      - OpenLDAP server (slapd)
 slapd-dbg  - Debugging information for the OpenLDAP server (slapd)
Closes: 221173 258931 260118 262539 320072 381788 391899 393215 407334 411413 412706 428385 428468 432662 438127 447224 448061 448935 449354 449442 451158 451325 452632 452749 452833 453318 453341 453411 457182 458215
Changes: 
 openldap2.3 (2.4.7-2) unstable; urgency=low
 .
   * Temporarily drop slapi-dev from the package to get through NEW; this
     functionality should be readded later, either by restoring the slapi-dev
     package or by moving it to libldap2-dev, depending on the outcome of
     discussion with the ftp-masters.
 .
 openldap2.3 (2.4.7-1) unstable; urgency=low
 .
   [ Steve Langasek ]
   * New upstream version; closes: #449354.
     - remove another schema from upstream source, collective.schema,
       that contains text from the IETF RFCs and include a stripped copy
       in debian/schema.
     - drop patches slurpd-in-spool and man-slurpd, since slurpd is no
       longer provided upstream.
     - libldap2.3-0 is now libldap2.4-2
     - build libldap2-dev from this source package now, superseding
       openldap2; closes: #428385, #260118, #262539, #391899, #393215.
     - lastmod and denyop have been moved to contrib upstream and are no
       longer shipped as supported overlays
     - drop dependency on libldap2 and take ownership of the
       /etc/ldap/ldap.conf conffile, since libldap2 is now obsolete
     - need to dump and reload databases again for the upgrade from 2.3.39.
     - ldap_init(3) no longer attempts to document the internals of the
       LDAP opaque type.  Closes: #320072.
     - ldap-utils utilities find LDAP servers via SRV records when given a
       URL with -H and no host in the URL. Closes: #221173.
     - if the old slapd.conf included any replica commands, automatically
       enable syncprov for the corresponding database and print an error
       with debconf.
   * slapd.conf and DB_CONFIG are used in the postinst, they shouldn't be
     shipped under doc/examples because /usr/share/doc can't be depended
     on per policy; ship the files under /usr/share/slapd and symlink the
     /other/ way, which also spares us from dh_compress trying to gzip
     slapd.conf.  Closes: #452749.
   * Drop libldap.so as was done for libldap2, making it a link to
     libldap_r.so to avoid unfortunate symbol collisions.
   * Add new patch, libldap-symbol-versions, to build libldap and liblber
     with symbol versions; needed to avoid segfaults when applications
     manage to pull both libldap2 and the new libldap-2.4-2 into the same
     process (as during a partial upgrade or the initial soname
     transition), and also when the library soname changes again in the
     future (as it's likely to do).
   * Reintroduce add-autogen-sh patch, with build deps on libtool, automake,
     and autoconf, required due to the previous patch; this time around, take
     care to clean up the autogenerated files in the clean target as well
   * Build-depend on libgnutls-dev instead of on libssl-dev, so that at long
     last we can build the server and lib from the same source package again
     without licensing problems.  Closes: #457182, #407334, #428468, #381788.
     Closes: #412706.
   * slapd.prerm, slapd.postinst: drop no-longer-needed upgrade code for
     openldap < 2.1.22
   * Ask about ldbm to bdb migration in the preinst, since there is no
     guarantee that the debconf config script will be run before the unpack
     phase.
   * Don't stop slapd in the preinst by hand, the prerm already stops the
     old slapd using the standard interfaces.
   * Don't build with LAN Manager password support; these passwords are more
     insecure than traditional Unix crypt, and only relevant when talking to
     Windows 98.
   * Move libslapi into the slapd package and provide a virtual package for
     library dependencies, since this is expected to stay lockstep with the
     server.
   * Split slapi dev support into a new libslapi-dev package, as this is
     unrelated to libldap; and drop libslapi.a since it would be insane to try
     to statically link a dynamically-loaded slapi plugin.
   * "checkpoint" directives are no longer supported as part of the backend
     config, only as part of the database config; move the lines around in
     slapd.conf on upgrade.
   * "schemacheck" directives are no longer supported; comment them out
     on upgrade since this option was set by default in sarge.
   * Package description updates; thanks to Christian Perrier
     <bubulle@debian.org> and the Smith review project for these
     improvements.
   * Incorporate debconf template changes suggested by the debian-l10n-english
     team as part of the Smith review project.  Closes: #447224.
 .
   [ Russ Allbery ]
   * Removed fix_ldif and all remaining code to try running it on LDIF
     dumps. Schema checking has been imposed since 2.1 and it's highly
     unlikely that anyone still needs this.
   * Move the checkpoint directive in the default slapd.conf below the
     database and suffix directives for the primary database. This is now
     required for OpenLDAP 2.4.
   * Create /etc/ldap/slapd.conf owned by the openldap group and mode 640
     by default so that slapindex and friends can read it when run as the
     openldap user. Fix permissions on upgrade if slapd.conf is owned by
     root and mode 600. Closes: #432662.
   * Drop slapd patch to read slapd.conf before dropping privileges, since
     slapd.conf should now be readable by SLAPD_GROUP.
   * If SLAPD_CONF is set to a directory in /etc/default/slapd, assume
     the cn=config backend is used and start slapd with the appropriate
     options.  Based on a patch from Mike Burr.  Closes: #411413.
   * Rework slapd's README.Debian:
     - Document the BerkeleyDB version.  Closes: #438127.
     - Document how to direct slapd's logs to another file. Closes: #258931.
     - Remove obsolete information about TLS/SSL and OpenLDAP 2.0 upgrades.
     - Recommend HDB instead of BDB.
     - Generally reformat and reorganize.
   * Patch cleanup:
     - Combine the NTLM patches for Evolution into a single patch.
     - Add explanatory comments to every patch.
     - Refresh all patches to remove diff garbage and trailing whitespace.
   * debian/rules cleanup:
     - Fix patch dependencies for parallel build (hopefully).
     - Tell configure the system type.
     - Rewrite upstream_strip_nondfsg.sh as a get-orig-source target.
     - Remove stamp files as the first step of the clean target.
     - Add trivial build-arch and build-indep targets.
     - Remove dead code and unnecessary comments.
   * Remove postrm code to delete /var/lib/slapd/upgrade* flag files.  We
     haven't used those since the 2.1 upgrade.
   * Update Vcs-* headers for new repository layout.
   * Remove versioned dependency on an ancient dpkg-dev.
   * Wrap and reorder Build-Depends for readability.
 .
   [ Updated debconf translations ]
   * Czech, thanks to Miroslav Kure <kurem@debian.cz>.  Closes: #458215.
   * German, thanks to Helge Kreutzmann <debian@helgefjell.de>.
     Closes: #452833.
   * Spanish
   * Finnish, thanks to Esko Arajärvi <edu@iki.fi>.  Closes: #448061.
   * French, thanks to Christian Perrier <bubulle@debian.org>.
     Closes: #452632.
   * Galician, thanks to Jacobo Tarrio <jtarrio@trasno.net>.
     Closes: #451158.
   * Italian, thanks to Luca Monducci <luca.mo@tiscali.it>.  Closes: #449442.
   * Japanese, thanks to Kenshi Muto <kmuto@debian.org>.  Closes: #451325.
   * Dutch, thanks to Bart Cornelis <cobaco@skolelinux.no>.  Closes: #448935.
   * Brazilian Portuguese
   * Portuguese, thanks to Tiago Fernandes <tjg.fernandes@gmail.com>.
     Closes: #453341.
   * Russian, thanks to Yuri Kozlov <kozlov.y@gmail.com>.  Closes: #453318.
   * Vietnamese, thanks to Clytie Siddall <clytie@riverland.net.au>.
     Closes: #453411.
Files: 
 570b101f6cd998a7d70db1a49c6d2bf1 1388 net optional openldap2.3_2.4.7-2.dsc
 aa22bd9f636d66785191716d2d127acd 132176 net optional openldap2.3_2.4.7-2.diff.gz
 eb8d65b07930a681acdc2b100ab57649 3469367 net optional openldap2.3_2.4.7.orig.tar.gz
 861962685143f28a05f56bfc6a280e56 1401080 net optional slapd_2.4.7-2_amd64.deb
 bbd542def71ed5dd4f2ce88ea7ca8fa7 259734 net optional ldap-utils_2.4.7-2_amd64.deb
 be80baf12c8baa28571de35336051b85 198072 libs optional libldap-2.4-2_2.4.7-2_amd64.deb
 2436774125993d3f464f5ab880050b9c 288346 libdevel extra libldap-2.4-2-dbg_2.4.7-2_amd64.deb
 1f86c631143e0c7062a595a7fd73416f 834322 libdevel extra libldap2-dev_2.4.7-2_amd64.deb
 70c31ecf226e1cce53c7e69314d415bf 3528208 net extra slapd-dbg_2.4.7-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHlLtVKN6ufymYLloRAs77AKCr7EXcuuG2D93YvARXE8O0SXxbUwCfZ/zg
vtK2egGbmyTydvkIaYb4KsE=
=EvcV
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.