Debian Bug report logs - #462588
Fails to start slapd ldaps:/// on upgrade

version graph

Package: slapd; Maintainer for slapd is Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>; Source for slapd is src:openldap.

Reported by: Alex Samad <alex@samad.com.au>

Date: Fri, 25 Jan 2008 21:24:01 UTC

Severity: grave

Found in version openldap2.3/2.4.7-3

Fixed in version openldap2.3/2.4.7-5

Done: Steve Langasek <vorlon@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#462588; Package slapd. Full text and rfc822 format available.

Acknowledgement sent to Alex Samad <alex@samad.com.au>:
New Bug report received and forwarded. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Alex Samad <alex@samad.com.au>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Fails to start slapd ldaps:/// on upgrade
Date: Sat, 26 Jan 2008 08:16:30 +1100
Package: slapd
Version: 2.4.7-3+b1
Severity: grave
Justification: renders package unusable

Hi

I have a wokring 2.3.38-1+lenny1 slapd, these are the relevant TLS
config info
# CA information
TLSCACertificateFile /etc/ldap/ssl/ca-certificates.crt
#TLSCACertificatePath /etc/ldap/ssl/
                                                                                                                                     
TLSVerifyClient allow
#TLSVerifyClient demand
#TLSCipherSuite HIGH
TLSCipherSuite HIGH:MEDIUM:+SSLv3
TLSCRLCheck none
TLSCertificateFile
/etc/ldap/ssl/bGRhcC5zYW1hZC5jb20uYXU6Y2EuY29tLmF1OjpBLiBTYW1hZCBQdHkgTHRkOlN5ZG5leTpOU1c6QVU=.pem
TLSCertificateKeyFile
/etc/ldap/ssl/bGRhcC5zYW1hZC5jb20uYXU6Y2EuY29tLmF1OjpBLiBTYW1hZCBQdHkgTHRkOlN5ZG5leTpOU1c6QVU=.une.pem

upon upgrade slapd refused to start tls failure unable to set 

TLSCipherSuite HIGH:MEDIUM:+SSLv2

The only way I could get slapd to start was to comment out
TLSCipherSuite

and then slapd would not accept any ldaps connections

-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable'), (100, 'unstable'), (50, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.22-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_AU.utf8, LC_CTYPE=en_AU.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash




Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#462588; Package slapd. Full text and rfc822 format available.

Acknowledgement sent to Quanah Gibson-Mount <quanah@zimbra.com>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #10 received at 462588@bugs.debian.org (full text, mbox):

From: Quanah Gibson-Mount <quanah@zimbra.com>
To: Alex Samad <alex@samad.com.au>, 462588@bugs.debian.org
Subject: Re: [Pkg-openldap-devel] Bug#462588: Fails to start slapd ldaps:/// on upgrade
Date: Fri, 25 Jan 2008 13:56:13 -0800
--On Saturday, January 26, 2008 8:16 AM +1100 Alex Samad 
<alex@samad.com.au> wrote:

> Package: slapd
> Version: 2.4.7-3+b1
> Severity: grave
> Justification: renders package unusable

OpenLDAP 2.4.7 in Debian uses GnuTLS now instead of OpenSSL.  GnuTLS uses a 
different set of cipher suites.  I would advise reading the GnuTLS 
documentation and picking something appropriate.

--Quanah

--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration




Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#462588; Package slapd. Full text and rfc822 format available.

Acknowledgement sent to "T.A. van Roermund" <timo@van-roermund.nl>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #15 received at 462588@bugs.debian.org (full text, mbox):

From: "T.A. van Roermund" <timo@van-roermund.nl>
To: 462588@bugs.debian.org
Subject: Same problem
Date: Sat, 26 Jan 2008 01:01:55 +0100
Hi,

I have the same problem. Following your suggestion, I listed all the 
cipher suites using "gnutls-cli -l" and tried all of them. Now, slapd 
does start, but still Thunderbird cannot connect to the daemon, no 
matter which cipher suite was selected.

Regards,

Timo





Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#462588; Package slapd. Full text and rfc822 format available.

Acknowledgement sent to Quanah Gibson-Mount <quanah@zimbra.com>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #20 received at 462588@bugs.debian.org (full text, mbox):

From: Quanah Gibson-Mount <quanah@zimbra.com>
To: "T.A. van Roermund" <timo@van-roermund.nl>, 462588@bugs.debian.org
Subject: Re: [Pkg-openldap-devel] Bug#462588: Same problem
Date: Fri, 25 Jan 2008 16:13:30 -0800
--On Saturday, January 26, 2008 1:01 AM +0100 "T.A. van Roermund" 
<timo@van-roermund.nl> wrote:

> Hi,
>
> I have the same problem. Following your suggestion, I listed all the
> cipher suites using "gnutls-cli -l" and tried all of them. Now, slapd
> does start, but still Thunderbird cannot connect to the daemon, no
> matter which cipher suite was selected.

Have you verified whether or not you can connect using LDAPS via the 
command line tools? (ldapsearch, ldapwhoami, etc).

--Quanah


--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration




Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#462588; Package slapd. Full text and rfc822 format available.

Acknowledgement sent to "T.A. van Roermund" <timo@van-roermund.nl>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #25 received at 462588@bugs.debian.org (full text, mbox):

From: "T.A. van Roermund" <timo@van-roermund.nl>
To: 462588@bugs.debian.org
Subject: Re: [Pkg-openldap-devel] Bug#462588: Same problem
Date: Sat, 26 Jan 2008 12:33:28 +0100
Quanah Gibson-Mount wrote:
> Have you verified whether or not you can connect using LDAPS via the 
> command line tools? (ldapsearch, ldapwhoami, etc).

Yes I did:

	$ ldapsearch -H ldaps://localhost:636/ -X cn=admin
	ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)

The relevant line in /etc/default/slapd:
	SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:///"

And the relevant lines in /etc/ldap/slapd.conf:
	TLSCertificateFile /etc/ssl/private/mykey.crt
	TLSCertificateKeyFile /etc/ssl/private/mykey.key

	# original cipher suite string
	#TLSCipherSuite HIGH:-SSLv2:-RSA
	# cipher suite string as used before with OpenSSL
	#TLSCipherSuite HIGH:MEDIUM:-SSLv2
	# all cipher suites as currently supported by gnutls,
	# constructed using command:
	#   gnutls-cli -l | grep -E "^TLS" | cut -d\  -f1 | xargs echo
	TLSCipherSuite TLS_ANON_DH_ARCFOUR_MD5 TLS_ANON_DH_3DES_EDE_CBC_SHA1 
TLS_ANON_DH_AES_128_CBC_SHA1 TLS_ANON_DH_AES_256_CBC_SHA1 
TLS_PSK_SHA_ARCFOUR_SHA1 TLS_PSK_SHA_3DES_EDE_CBC_SHA1 
TLS_PSK_SHA_AES_128_CBC_SHA1 TLS_PSK_SHA_AES_256_CBC_SHA1 
TLS_DHE_PSK_SHA_ARCFOUR_SHA1 TLS_DHE_PSK_SHA_3DES_EDE_CBC_SHA1 
TLS_DHE_PSK_SHA_AES_128_CBC_SHA1 TLS_DHE_PSK_SHA_AES_256_CBC_SHA1 
TLS_SRP_SHA_3DES_EDE_CBC_SHA1 TLS_SRP_SHA_AES_128_CBC_SHA1 
TLS_SRP_SHA_AES_256_CBC_SHA1 TLS_SRP_SHA_DSS_3DES_EDE_CBC_SHA1 
TLS_SRP_SHA_RSA_3DES_EDE_CBC_SHA1 TLS_SRP_SHA_DSS_AES_128_CBC_SHA1 
TLS_SRP_SHA_RSA_AES_128_CBC_SHA1 TLS_SRP_SHA_DSS_AES_256_CBC_SHA1 
TLS_SRP_SHA_RSA_AES_256_CBC_SHA1 TLS_DHE_DSS_ARCFOUR_SHA1 
TLS_DHE_DSS_3DES_EDE_CBC_SHA1 TLS_DHE_DSS_AES_128_CBC_SHA1 
TLS_DHE_DSS_AES_256_CBC_SHA1 TLS_DHE_RSA_3DES_EDE_CBC_SHA1 
TLS_DHE_RSA_AES_128_CBC_SHA1 TLS_DHE_RSA_AES_256_CBC_SHA1 
TLS_RSA_NULL_MD5 TLS_RSA_EXPORT_ARCFOUR_40_MD5 TLS_RSA_ARCFOUR_SHA1 
TLS_RSA_ARCFOUR_MD5 TLS_RSA_3DES_EDE_CBC_SHA1 TLS_RSA_AES_128_CBC_SHA1 
TLS_RSA_AES_256_CBC_SHA1


Before, using OpenSSL, everything worked perfectly. Now, LDAPS is
completely broken.

Regards,

Timo





Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#462588; Package slapd. Full text and rfc822 format available.

Acknowledgement sent to Quanah Gibson-Mount <quanah@zimbra.com>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #30 received at 462588@bugs.debian.org (full text, mbox):

From: Quanah Gibson-Mount <quanah@zimbra.com>
To: "T.A. van Roermund" <timo@van-roermund.nl>, 462588@bugs.debian.org
Subject: Re: [Pkg-openldap-devel] Bug#462588: Bug#462588: Same problem
Date: Sat, 26 Jan 2008 18:12:51 -0800
--On Saturday, January 26, 2008 12:33 PM +0100 "T.A. van Roermund" 
<timo@van-roermund.nl> wrote:

> Quanah Gibson-Mount wrote:
>> Have you verified whether or not you can connect using LDAPS via the
>> command line tools? (ldapsearch, ldapwhoami, etc).
>
> Yes I did:
>
> 	$ ldapsearch -H ldaps://localhost:636/ -X cn=admin
> 	ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)

Have you verified that port 636 is open?  I.e., telnet localhost 636

--Quanah

--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration




Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#462588; Package slapd. Full text and rfc822 format available.

Acknowledgement sent to "T.A. van Roermund" <timo@van-roermund.nl>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #35 received at 462588@bugs.debian.org (full text, mbox):

From: "T.A. van Roermund" <timo@van-roermund.nl>
To: 462588@bugs.debian.org
Subject: Re: [Pkg-openldap-devel] Bug#462588: Bug#462588: Same problem
Date: Sun, 27 Jan 2008 09:34:20 +0100
Quanah Gibson-Mount wrote:
> Have you verified that port 636 is open?  I.e., telnet localhost 636

The port is open:

	$ telnet localhost 636
	Trying 127.0.0.1...
	Connected to localhost.
	Escape character is '^]'.

And:

	$ netstat --listening --numeric --program | grep slapd 

	tcp        0      0 127.0.0.1:389           0.0.0.0:* 
LISTEN      23763/slapd
	tcp        0      0 0.0.0.0:636             0.0.0.0:* 
LISTEN      23763/slapd

(And ldapsearch is still unable to connect.)

Regards,

Timo




Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#462588; Package slapd. Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #40 received at 462588@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: "T.A. van Roermund" <timo@van-roermund.nl>, 462588@bugs.debian.org
Cc: 462588-submitter@bugs.debian.org
Subject: Re: [Pkg-openldap-devel] Bug#462588: Bug#462588: Same problem
Date: Tue, 29 Jan 2008 11:09:32 -0800
On Sat, Jan 26, 2008 at 12:33:28PM +0100, T.A. van Roermund wrote:
> 	# all cipher suites as currently supported by gnutls,
> 	# constructed using command:
> 	#   gnutls-cli -l | grep -E "^TLS" | cut -d\  -f1 | xargs echo
> 	TLSCipherSuite TLS_ANON_DH_ARCFOUR_MD5 TLS_ANON_DH_3DES_EDE_CBC_SHA1 
> TLS_ANON_DH_AES_128_CBC_SHA1 TLS_ANON_DH_AES_256_CBC_SHA1 
> TLS_PSK_SHA_ARCFOUR_SHA1 TLS_PSK_SHA_3DES_EDE_CBC_SHA1 
> TLS_PSK_SHA_AES_128_CBC_SHA1 TLS_PSK_SHA_AES_256_CBC_SHA1 
> TLS_DHE_PSK_SHA_ARCFOUR_SHA1 TLS_DHE_PSK_SHA_3DES_EDE_CBC_SHA1 
> TLS_DHE_PSK_SHA_AES_128_CBC_SHA1 TLS_DHE_PSK_SHA_AES_256_CBC_SHA1 
> TLS_SRP_SHA_3DES_EDE_CBC_SHA1 TLS_SRP_SHA_AES_128_CBC_SHA1 
> TLS_SRP_SHA_AES_256_CBC_SHA1 TLS_SRP_SHA_DSS_3DES_EDE_CBC_SHA1 
> TLS_SRP_SHA_RSA_3DES_EDE_CBC_SHA1 TLS_SRP_SHA_DSS_AES_128_CBC_SHA1 
> TLS_SRP_SHA_RSA_AES_128_CBC_SHA1 TLS_SRP_SHA_DSS_AES_256_CBC_SHA1 
> TLS_SRP_SHA_RSA_AES_256_CBC_SHA1 TLS_DHE_DSS_ARCFOUR_SHA1 
> TLS_DHE_DSS_3DES_EDE_CBC_SHA1 TLS_DHE_DSS_AES_128_CBC_SHA1 
> TLS_DHE_DSS_AES_256_CBC_SHA1 TLS_DHE_RSA_3DES_EDE_CBC_SHA1 
> TLS_DHE_RSA_AES_128_CBC_SHA1 TLS_DHE_RSA_AES_256_CBC_SHA1 
> TLS_RSA_NULL_MD5 TLS_RSA_EXPORT_ARCFOUR_40_MD5 TLS_RSA_ARCFOUR_SHA1 
> TLS_RSA_ARCFOUR_MD5 TLS_RSA_3DES_EDE_CBC_SHA1 TLS_RSA_AES_128_CBC_SHA1 
> TLS_RSA_AES_256_CBC_SHA1

> Before, using OpenSSL, everything worked perfectly. Now, LDAPS is
> completely broken.

Well, I can reproduce the problem when using this value for TLSCipherSuite.
But why would you set this value, rather than leaving TLSCipherSuite blank
to use the default?  I don't see the point of listing *all* the cipher types
if you don't intend to exclude some of them.

Anyway, the documented syntax for TLSCipherSuite is "$cipher1:$cipher2", not
"$cipher1 $cipher2"; but setting such values gives me a hang on startup
(which should be investigated).

I see that if I leave the cipher list blank, gnutls-cli negotiates
TLS_RSA_AES_256_CBC_SHA; so if I set TLSCipherSuite TLS_RSA_AES_256_CBC_SHA,
it works just fine.

The full list of ciphers that gnutls clients appear to negotiate by default
is:

  TLS_DHE_RSA_AES_256_CBC_SHA, TLS_DHE_RSA_AES_128_CBC_SHA,
  TLS_DHE_RSA_3DES_EDE_CBC_SHA, TLS_DHE_DSS_AES_256_CBC_SHA,
  TLS_DHE_DSS_AES_128_CBC_SHA, TLS_DHE_DSS_3DES_EDE_CBC_SHA,
  TLS_DHE_DSS_RC4_128_SHA, TLS_RSA_AES_256_CBC_SHA, TLS_RSA_AES_128_CBC_SHA,
  TLS_RSA_3DES_EDE_CBC_SHA, TLS_RSA_RC4_128_SHA, TLS_RSA_RC4_128_MD5

So if you don't want to use the default cipher settings, you can perhaps
choose one of these ciphers individually that meets your needs.

The fact that ldap_pvt_tls_set_option() hangs indefinitely when given a list
of more than one cipher is certainly a bug which should be fixed.

I'm not sure if we should also try to migrate the OpenSSL-specific cipher
specs to GNUTLS equivalents as part of the package upgrade.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org




Message sent on to Alex Samad <alex@samad.com.au>:
Bug#462588. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#462588; Package slapd. Full text and rfc822 format available.

Acknowledgement sent to "T.A. van Roermund" <timo@van-roermund.nl>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #48 received at 462588@bugs.debian.org (full text, mbox):

From: "T.A. van Roermund" <timo@van-roermund.nl>
To: 462588@bugs.debian.org
Subject: Re: [Pkg-openldap-devel] Bug#462588: Bug#462588: Same problem
Date: Tue, 29 Jan 2008 20:27:03 +0100
Steve Langasek wrote:
> Well, I can reproduce the problem when using this value for TLSCipherSuite.
> But why would you set this value, rather than leaving TLSCipherSuite blank
> to use the default?  I don't see the point of listing *all* the cipher types
> if you don't intend to exclude some of them.

If I leave it blank, it still doesn't work. The behaviour is then 
exactly equal to the current situation.

> Anyway, the documented syntax for TLSCipherSuite is "$cipher1:$cipher2", not
> "$cipher1 $cipher2"; but setting such values gives me a hang on startup
> (which should be investigated).

I can confirm that, the reason why I left out the ":" is this hang. I 
thought that maybe gnutls parses the string differently and needs spaces 
in between, that's why I replaced those characters with spaces. Anyway, 
do you file a bug report for this hang?

> I see that if I leave the cipher list blank, gnutls-cli negotiates
> TLS_RSA_AES_256_CBC_SHA; so if I set TLSCipherSuite TLS_RSA_AES_256_CBC_SHA,
> it works just fine.

How exactly do you find out? Then I might try the same on my PC.

> The full list of ciphers that gnutls clients appear to negotiate by default
> is:
> 
>   TLS_DHE_RSA_AES_256_CBC_SHA, TLS_DHE_RSA_AES_128_CBC_SHA,
>   TLS_DHE_RSA_3DES_EDE_CBC_SHA, TLS_DHE_DSS_AES_256_CBC_SHA,
>   TLS_DHE_DSS_AES_128_CBC_SHA, TLS_DHE_DSS_3DES_EDE_CBC_SHA,
>   TLS_DHE_DSS_RC4_128_SHA, TLS_RSA_AES_256_CBC_SHA, TLS_RSA_AES_128_CBC_SHA,
>   TLS_RSA_3DES_EDE_CBC_SHA, TLS_RSA_RC4_128_SHA, TLS_RSA_RC4_128_MD5
>
> So if you don't want to use the default cipher settings, you can perhaps
> choose one of these ciphers individually that meets your needs.

None of thise ciphers seems to work (at least in combination with 
Thunderbird).

> I'm not sure if we should also try to migrate the OpenSSL-specific cipher
> specs to GNUTLS equivalents as part of the package upgrade.

That might be a good idea.

Best regards,

Timo





Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#462588; Package slapd. Full text and rfc822 format available.

Acknowledgement sent to Quanah Gibson-Mount <quanah@zimbra.com>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #53 received at 462588@bugs.debian.org (full text, mbox):

From: Quanah Gibson-Mount <quanah@zimbra.com>
To: 462588@bugs.debian.org
Cc: Steve Langasek <vorlon@debian.org>
Subject: Re: [Pkg-openldap-devel] Bug#462588: Bug#462588: Bug#462588: Same problem
Date: Tue, 29 Jan 2008 11:31:43 -0800
--On Tuesday, January 29, 2008 11:09 AM -0800 Steve Langasek 
<vorlon@debian.org> wrote:


> Anyway, the documented syntax for TLSCipherSuite is "$cipher1:$cipher2",
> not "$cipher1 $cipher2"; but setting such values gives me a hang on
> startup (which should be investigated).

Filed upstream:

<http://www.OpenLDAP.org/its/index.cgi?findid=5341>

--Quanah

--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration




Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#462588; Package slapd. Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #58 received at 462588@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: Quanah Gibson-Mount <quanah@zimbra.com>, 462588@bugs.debian.org
Cc: openldap-its@openldap.org
Subject: Re: (ITS#5341) Invalid TLSCipherSuite causes hang
Date: Tue, 29 Jan 2008 11:55:24 -0800
On Tue, Jan 29, 2008 at 11:31:43AM -0800, Quanah Gibson-Mount wrote:
> --On Tuesday, January 29, 2008 11:09 AM -0800 Steve Langasek 
> <vorlon@debian.org> wrote:

> > Anyway, the documented syntax for TLSCipherSuite is "$cipher1:$cipher2",
> > not "$cipher1 $cipher2"; but setting such values gives me a hang on
> > startup (which should be investigated).

> Filed upstream:

> <http://www.OpenLDAP.org/its/index.cgi?findid=5341>

Sorry, the description of this ITS is inverted.  It's *valid* ciphersuite
values (i.e., "cipher1:cipher2") that cause the hang; invalid
space-separated values are merely truncated after the first cipher in the
list, which doesn't cause a hang, it just prevents the cipher list from
being useful.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org




Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#462588; Package slapd. Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #63 received at 462588@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: "T.A. van Roermund" <timo@van-roermund.nl>, 462588@bugs.debian.org
Subject: Re: [Pkg-openldap-devel] Bug#462588: Bug#462588: Bug#462588: Same problem
Date: Tue, 29 Jan 2008 12:09:59 -0800
On Tue, Jan 29, 2008 at 08:27:03PM +0100, T.A. van Roermund wrote:
> Steve Langasek wrote:
> > Well, I can reproduce the problem when using this value for TLSCipherSuite.
> > But why would you set this value, rather than leaving TLSCipherSuite blank
> > to use the default?  I don't see the point of listing *all* the cipher types
> > if you don't intend to exclude some of them.

> If I leave it blank, it still doesn't work. The behaviour is then 
> exactly equal to the current situation.

Ok.  Does your certificate have a proper cn, matching the fqdn of your
server?  That's the only other case where I can reproduce the described
behavior, but I don't know if that's a behavior change relative to the
OpenSSL version.  (I would have hoped that OpenSSL would also refuse to
negotiate SSL/TLS with a server whose cn doesn't match the hostname being
connected to, since this subverts the SSL security model.)

> > I see that if I leave the cipher list blank, gnutls-cli negotiates
> > TLS_RSA_AES_256_CBC_SHA; so if I set TLSCipherSuite TLS_RSA_AES_256_CBC_SHA,
> > it works just fine.

> How exactly do you find out? Then I might try the same on my PC.

Running as root on the client:

# tcpdump -i eth1 -n host borges and '(port ldap or port ldaps)' \
    -s 1500 -w ~vorlon/ldaps.pcap

then attempt to connect to the server from the client, ctrl-C out of
tcpdump, and analyze the resulting packet capture with wireshark -r
ldaps.pcap (as a non-root user).

If you're testing with localhost, then you'll want to do, e.g.,

# tcpdump -i lo -n port ldap or port ldaps -s 1500 -w ldaps.pcap

> > The full list of ciphers that gnutls clients appear to negotiate by default
> > is:
> > 
> >   TLS_DHE_RSA_AES_256_CBC_SHA, TLS_DHE_RSA_AES_128_CBC_SHA,
> >   TLS_DHE_RSA_3DES_EDE_CBC_SHA, TLS_DHE_DSS_AES_256_CBC_SHA,
> >   TLS_DHE_DSS_AES_128_CBC_SHA, TLS_DHE_DSS_3DES_EDE_CBC_SHA,
> >   TLS_DHE_DSS_RC4_128_SHA, TLS_RSA_AES_256_CBC_SHA, TLS_RSA_AES_128_CBC_SHA,
> >   TLS_RSA_3DES_EDE_CBC_SHA, TLS_RSA_RC4_128_SHA, TLS_RSA_RC4_128_MD5
>  >
> > So if you don't want to use the default cipher settings, you can perhaps
> > choose one of these ciphers individually that meets your needs.

> None of thise ciphers seems to work (at least in combination with 
> Thunderbird).

If you're seeing this behavior even when TLSCipherSuite is left blank, then
I think your failure is different than the cipher negotiation problem, and I
suspect the cn problem above, or a problem with a lack of a CA configured on
the client side.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org




Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#462588; Package slapd. Full text and rfc822 format available.

Acknowledgement sent to Quanah Gibson-Mount <quanah@zimbra.com>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #68 received at 462588@bugs.debian.org (full text, mbox):

From: Quanah Gibson-Mount <quanah@zimbra.com>
To: Steve Langasek <vorlon@debian.org>, 462588@bugs.debian.org, "T.A. van Roermund" <timo@van-roermund.nl>
Subject: Re: [Pkg-openldap-devel] Bug#462588: Bug#462588: Bug#462588: Bug#462588: Same problem
Date: Tue, 29 Jan 2008 12:29:39 -0800
--On Tuesday, January 29, 2008 12:09 PM -0800 Steve Langasek 
<vorlon@debian.org> wrote:

> On Tue, Jan 29, 2008 at 08:27:03PM +0100, T.A. van Roermund wrote:
>> Steve Langasek wrote:
>> > Well, I can reproduce the problem when using this value for
>> > TLSCipherSuite. But why would you set this value, rather than leaving
>> > TLSCipherSuite blank to use the default?  I don't see the point of
>> > listing *all* the cipher types if you don't intend to exclude some of
>> > them.
>
>> If I leave it blank, it still doesn't work. The behaviour is then
>> exactly equal to the current situation.
>
> Ok.  Does your certificate have a proper cn, matching the fqdn of your
> server?  That's the only other case where I can reproduce the described
> behavior, but I don't know if that's a behavior change relative to the
> OpenSSL version.  (I would have hoped that OpenSSL would also refuse to
> negotiate SSL/TLS with a server whose cn doesn't match the hostname being
> connected to, since this subverts the SSL security model.)

OpenLDAP compiled with OpenSSL behaves the same way.  i.e, the cn in the 
cert must match the servername (or the fields on subjectAltName, etc).

--Quanah

--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration




Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#462588; Package slapd. Full text and rfc822 format available.

Acknowledgement sent to "T.A. van Roermund" <timo@van-roermund.nl>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #73 received at 462588@bugs.debian.org (full text, mbox):

From: "T.A. van Roermund" <timo@van-roermund.nl>
To: 462588@bugs.debian.org
Subject: Re: [Pkg-openldap-devel] Bug#462588: Bug#462588: Bug#462588: Bug#462588: Same problem
Date: Tue, 29 Jan 2008 22:18:45 +0100
Quanah Gibson-Mount wrote:
>> Ok.  Does your certificate have a proper cn, matching the fqdn of your
>> server?  That's the only other case where I can reproduce the described
>> behavior, but I don't know if that's a behavior change relative to the
>> OpenSSL version.  (I would have hoped that OpenSSL would also refuse to
>> negotiate SSL/TLS with a server whose cn doesn't match the hostname being
>> connected to, since this subverts the SSL security model.)
> 
> OpenLDAP compiled with OpenSSL behaves the same way.  i.e, the cn in the 
> cert must match the servername (or the fields on subjectAltName, etc).

FQDN: server-timo.van-roermund.nl
CN: van-roermund.nl

Will that be the problem? If so, then the behaviour of GnuTLS *is* 
different from the behavious of OpenSSL. I will test it and let you know.

Regards,

Timo




Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#462588; Package slapd. Full text and rfc822 format available.

Acknowledgement sent to Quanah Gibson-Mount <quanah@zimbra.com>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #78 received at 462588@bugs.debian.org (full text, mbox):

From: Quanah Gibson-Mount <quanah@zimbra.com>
To: "T.A. van Roermund" <timo@van-roermund.nl>, 462588@bugs.debian.org
Subject: Re: [Pkg-openldap-devel] Bug#462588: Bug#462588: Bug#462588: Bug#462588: Bug#462588: Same problem
Date: Tue, 29 Jan 2008 14:02:00 -0800
--On Tuesday, January 29, 2008 10:18 PM +0100 "T.A. van Roermund" 
<timo@van-roermund.nl> wrote:


> FQDN: server-timo.van-roermund.nl
> CN: van-roermund.nl
>
> Will that be the problem? If so, then the behaviour of GnuTLS *is*
> different from the behavious of OpenSSL. I will test it and let you know.

That would be a problem if "server-timo.van-roermud.nl" is not in 
subjectAltName for the certs.  Standard OpenLDAP 2.3 against OpenSSL would 
also not accept that cert.  I don't know why the previous debian package 
would have allowed it, unless it was related to the old hacked libldap 
libraries (are those replaced now?).

--Quanah


--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration




Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#462588; Package slapd. Full text and rfc822 format available.

Acknowledgement sent to Russ Allbery <rra@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #83 received at 462588@bugs.debian.org (full text, mbox):

From: Russ Allbery <rra@debian.org>
To: 462588@bugs.debian.org, "T.A. van Roermund" <timo@van-roermund.nl>
Subject: Re: [Pkg-openldap-devel] Bug#462588: Bug#462588: Bug#462588: Bug#462588: Bug#462588: Bug#462588: Same problem
Date: Tue, 29 Jan 2008 14:22:55 -0800
Quanah Gibson-Mount <quanah@zimbra.com> writes:

> I don't know why the previous debian package would have allowed it,
> unless it was related to the old hacked libldap libraries (are those
> replaced now?).

They are, but they weren't used for the server anyway, so I'm not sure
that explains it.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>




Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#462588; Package slapd. Full text and rfc822 format available.

Acknowledgement sent to "T.A. van Roermund" <timo@van-roermund.nl>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #88 received at 462588@bugs.debian.org (full text, mbox):

From: "T.A. van Roermund" <timo@van-roermund.nl>
To: 462588@bugs.debian.org
Subject: Re: [Pkg-openldap-devel] Bug#462588: Bug#462588: Bug#462588: Bug#462588: Bug#462588: Same problem
Date: Wed, 30 Jan 2008 00:42:01 +0100
Quanah Gibson-Mount wrote:
> That would be a problem if "server-timo.van-roermud.nl" is not in 
> subjectAltName for the certs.

I changed the certificate (self signed), it now looks like this (only 
the relevant parts):



Certificate:
    Data:
	<cut>
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=NL, ST=Noord-Brabant, L=Eindhoven, O=van-roermund.nl, 
CN=van-roermund.nl/emailAddress=timo@van-roermund.nl
	<cut>
        Subject: C=NL, ST=Noord-Brabant, O=van-roermund.nl, 
CN=van-roermund.nl/emailAddress=timo@van-roermund.nl
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
            <cut>
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            <cut>
            X509v3 Subject Alternative Name:
                DNS:van-roermund.nl, DNS:server-timo.van-roermund.nl, 
DNS:www.van-roermund.nl, DNS:imap.van-roermund.nl, 
DNS:smtp.van-roermund.nl, DNS:ftp.van-roermund.nl



So my FQDN ("server-timo.van-roermund", double checked with "hostname 
-f") is now part of subjectAltName. However, it still doesn't work.

Regards,

Timo




Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#462588; Package slapd. Full text and rfc822 format available.

Acknowledgement sent to "Kyle Moffett" <kyle@moffetthome.net>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #93 received at 462588@bugs.debian.org (full text, mbox):

From: "Kyle Moffett" <kyle@moffetthome.net>
To: "Steve Langasek" <vorlon@debian.org>, 462588@bugs.debian.org
Subject: Re: [Pkg-openldap-devel] Bug#462588: (ITS#5341) Invalid TLSCipherSuite causes hang
Date: Fri, 1 Feb 2008 00:15:52 -0500
On Jan 29, 2008 2:55 PM, Steve Langasek <vorlon@debian.org> wrote:
> On Tue, Jan 29, 2008 at 11:31:43AM -0800, Quanah Gibson-Mount wrote:
> > --On Tuesday, January 29, 2008 11:09 AM -0800 Steve Langasek <vorlon@debian.org> wrote:
> > > Anyway, the documented syntax for TLSCipherSuite is "$cipher1:$cipher2",
> > > not "$cipher1 $cipher2"; but setting such values gives me a hang on
> > > startup (which should be investigated).
>
> > Filed upstream:
> > <http://www.OpenLDAP.org/its/index.cgi?findid=5341>
>
> Sorry, the description of this ITS is inverted.  It's *valid* ciphersuite
> values (i.e., "cipher1:cipher2") that cause the hang; invalid
> space-separated values are merely truncated after the first cipher in the
> list, which doesn't cause a hang, it just prevents the cipher list from
> being useful.

Steve, would you mind testing the patch I posted there?  It fixed the
problem for me when I wrote it a month or two ago, hopefully it will
fix the problem for you too.

Cheers,
Kyle Moffett




Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#462588; Package slapd. Full text and rfc822 format available.

Acknowledgement sent to Niccolo Rigacci <niccolo@rigacci.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #98 received at 462588@bugs.debian.org (full text, mbox):

From: Niccolo Rigacci <niccolo@rigacci.org>
To: 462588@bugs.debian.org
Subject: Re: Fails to start slapd ldaps:/// on upgrade
Date: Fri, 1 Feb 2008 14:05:58 +0100
I confirm that ldpas broke after upgrade.

This is the workaround in my case:

1) Commented out TLSCipherSuite from /etc/ldap/slapd.conf so it 
   picks-up the defaults.

2) Changed TLS_REQCERT from "allow" to "never" into 
   /etc/ldap/ldap.conf.

The clients connect to a name which is different from the 
commonName stated into the self signed certificate.

However this is strange beacuse LDAP.CONF(5) states that 
TLS_REQCERT "allow" means:

  The server certificate is requested. If no certificate is 
  provided, the session proceeds normally. If a bad certificate 
  is provided, it will be ignored and the session proceeds normally.

But the session does not proceeds normally, even if I add 
a subjectAltName into the certificate.

-- 
Niccolo Rigacci
Firenze - Italy




Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#462588; Package slapd. Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #103 received at 462588@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: Kyle Moffett <kyle@moffetthome.net>, openldap-its@openldap.org
Cc: 462588@bugs.debian.org
Subject: Re: (ITS#5341) Invalid TLSCipherSuite causes hang
Date: Fri, 1 Feb 2008 13:22:37 -0800
Hi Kyle,

On Fri, Feb 01, 2008 at 12:15:52AM -0500, Kyle Moffett wrote:
> On Jan 29, 2008 2:55 PM, Steve Langasek <vorlon@debian.org> wrote:
> > On Tue, Jan 29, 2008 at 11:31:43AM -0800, Quanah Gibson-Mount wrote:
> > > --On Tuesday, January 29, 2008 11:09 AM -0800 Steve Langasek <vorlon@debian.org> wrote:
> > > > Anyway, the documented syntax for TLSCipherSuite is "$cipher1:$cipher2",
> > > > not "$cipher1 $cipher2"; but setting such values gives me a hang on
> > > > startup (which should be investigated).

> > > Filed upstream:
> > > <http://www.OpenLDAP.org/its/index.cgi?findid=5341>

> > Sorry, the description of this ITS is inverted.  It's *valid* ciphersuite
> > values (i.e., "cipher1:cipher2") that cause the hang; invalid
> > space-separated values are merely truncated after the first cipher in the
> > list, which doesn't cause a hang, it just prevents the cipher list from
> > being useful.

> Steve, would you mind testing the patch I posted there?  It fixed the
> problem for me when I wrote it a month or two ago, hopefully it will
> fix the problem for you too.

Thanks, I can confirm this fixes the problem here.  I'm able to set multiple
ciphers in a TLSCipherSuite list, and able to connect appropriately with
ldapsearch and gnutls-cli after the change.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org




Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#462588; Package slapd. Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #108 received at 462588@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: 462588@bugs.debian.org
Subject: Re: [Pkg-openldap-devel] Bug#462588: Bug#462588: Same problem
Date: Sun, 3 Feb 2008 10:56:34 -0800
A patch has been committed to the package svn tree to fix handling of cipher
lists, which leaves this issue:

On Tue, Jan 29, 2008 at 11:09:32AM -0800, Steve Langasek wrote:
> I'm not sure if we should also try to migrate the OpenSSL-specific cipher
> specs to GNUTLS equivalents as part of the package upgrade.

I had a poke around http://www.openssl.org/docs/apps/ciphers.html, which
lists all the various keywords recognized by OpenSSL.  Mapping these onto
the known GnuTLS ciphers using 'openssl ciphers -v' and 'gnutls-cli -l',
here's what I get:

MEDIUM -> TLS_ANON_DH_ARCFOUR_MD5:TLS_RSA_ARCFOUR_SHA1:TLS_RSA_ARCFOUR_MD5
HIGH -> TLS_ANON_DH_AES_256_CBC_SHA1:TLS_DHE_RSA_AES_256_CBC_SHA1:TLS_DHE_DSS_AES_256_CBC_SHA1:TLS_RSA_AES_256_CBC_SHA1:TLS_ANON_DH_AES_128_CBC_SHA1:TLS_DHE_RSA_AES_128_CBC_SHA1:TLS_DHE_DSS_AES_128_CBC_SHA1:TLS_RSA_AES_128_CBC_SHA1:TLS_ANON_DH_3DES_EDE_CBC_SHA1:TLS_DHE_RSA_3DES_EDE_CBC_SHA1:TLS_DHE_DSS_3DES_EDE_CBC_SHA1:TLS_RSA_3DES_EDE_CBC_SHA1
LOW -> empty list
DEFAULT: MED+HIGH, w/o ANON_DH, w/ TLS_RSA_EXPORT_ARCFOUR_40_MD5
EXP,EXPORT,EXPORT40 -> TLS_RSA_EXPORT_ARCFOUR_40_MD5
eNULL,NULL -> TLS_RSA_NULL_MD5
aNULL -> TLS_ANON_DH_AES_256_CBC_SHA1:TLS_ANON_DH_AES_128_CBC_SHA1:TLS_ANON_DH_3DES_EDE_CBC_SHA1:TLS_ANON_DH_ARCFOUR_MD5 
SSLv2 -> empty list

But this is only a partial list of the most relevant aliases; there are also
aliases for each authentication, key exchange, and encryption algorithm, and
OpenSSL supports various forms of negation and sorting that aren't supported
here by GnuTLS.

I'm pretty sure I don't want to implement support for migrating the full set
of OpenSSL cipher specs in shell. :P

Do you think converting the above aliases would be good enough coverage?  Or
do we need to provide some upgrade handling for all the possibilities, and
therefore we're doomed to add yet another debconf error message here?  In
the latter case I'm probably not going to spend the effort on auto-migrating
any of the values.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org




Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#462588; Package slapd. Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #113 received at 462588@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: "T.A. van Roermund" <timo@van-roermund.nl>, 462588@bugs.debian.org
Subject: Re: [Pkg-openldap-devel] Bug#462588: Bug#462588: Bug#462588: Bug#462588: Bug#462588: Bug#462588: Same problem
Date: Sun, 3 Feb 2008 11:01:48 -0800
On Wed, Jan 30, 2008 at 12:42:01AM +0100, T.A. van Roermund wrote:


> So my FQDN ("server-timo.van-roermund", double checked with "hostname 
> -f") is now part of subjectAltName. However, it still doesn't work.

Please try setting 'TLSVerifyClient allow' in your slapd.conf, and let us
know whether that fixes the problem for you.

In my tests, I see that the default client certificate handling for 2.4.7
with GnuTLS does not match what's documented in the slapd.conf manpage; I
think we have another bug here that will need tracking down.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org




Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#462588; Package slapd. Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #118 received at 462588@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: Niccolo Rigacci <niccolo@rigacci.org>, 462588@bugs.debian.org
Subject: Re: [Pkg-openldap-devel] Bug#462588: Fails to start slapd ldaps:/// on upgrade
Date: Sun, 3 Feb 2008 11:43:54 -0800
On Fri, Feb 01, 2008 at 02:05:58PM +0100, Niccolo Rigacci wrote:
> However this is strange beacuse LDAP.CONF(5) states that 
> TLS_REQCERT "allow" means:

>   The server certificate is requested. If no certificate is 
>   provided, the session proceeds normally. If a bad certificate 
>   is provided, it will be ignored and the session proceeds normally.

> But the session does not proceeds normally, even if I add 
> a subjectAltName into the certificate.

What client are you using?  If you use ldapsearch -ZZ, for instance, this
overrides the TLS_REQCERT value in /etc/ldap/ldap.conf.

Do you have a TLSVerifyClient value set in /etc/ldap/slapd.conf?  There is a
bug in 2.4.7 that results in the server requiring client certificates by
default for all TLS/SSL connections.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org




Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#462588; Package slapd. Full text and rfc822 format available.

Acknowledgement sent to Russ Allbery <rra@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #123 received at 462588@bugs.debian.org (full text, mbox):

From: Russ Allbery <rra@debian.org>
To: 462588@bugs.debian.org
Subject: Re: Bug#462588: Same problem
Date: Sun, 03 Feb 2008 17:29:47 -0800
Steve Langasek <vorlon@debian.org> writes:

> I'm pretty sure I don't want to implement support for migrating the full set
> of OpenSSL cipher specs in shell. :P
>
> Do you think converting the above aliases would be good enough coverage?
> Or do we need to provide some upgrade handling for all the
> possibilities, and therefore we're doomed to add yet another debconf
> error message here?  In the latter case I'm probably not going to spend
> the effort on auto-migrating any of the values.

I would just comment out the cipher list directive completely on upgrade
and document the need to correct it manually if desired in NEWS.Debian.
The most common use of this directive is to restrict use of weak ciphers,
which GnuTLS doesn't support in the first place.

It is unforunate that GnuTLS doesn't support the same general keywords as
OpenSSL, and it seems like that would be easy enough for GnuTLS to add.
Maybe a wishlist bug against GnuTLS is in order?

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>




Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#462588; Package slapd. Full text and rfc822 format available.

Acknowledgement sent to Niccolo Rigacci <niccolo@rigacci.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #128 received at 462588@bugs.debian.org (full text, mbox):

From: Niccolo Rigacci <niccolo@rigacci.org>
To: 462588@bugs.debian.org
Cc: vorlon@debian.org
Subject: Re: [Pkg-openldap-devel] Bug#462588: Fails to start slapd ldaps:/// on upgrade
Date: Mon, 4 Feb 2008 10:03:27 +0100
> > However this is strange beacuse LDAP.CONF(5) states that 
> > TLS_REQCERT "allow" means:
> 
> >   The server certificate is requested. If no certificate is 
> >   provided, the session proceeds normally. If a bad certificate 
> >   is provided, it will be ignored and the session proceeds normally.
> 
> What client are you using?  If you use ldapsearch -ZZ, for instance, this
> overrides the TLS_REQCERT value in /etc/ldap/ldap.conf.

On the client (which is not the slapd server) I use the following 
command line:

ldapsearch -x -H ldaps://cheope.mydomain.org/ \
    -x -D "cn=admin,dc=mydomain,dc=org" -W \
    -b "dc=mydomain,dc=org"

Doing it with the alias server name and "TLS_REQCERT allow" 
results into the error:

ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

On the server the log reports:

slapd[29352]: conn=25 fd=16 ACCEPT from IP=192.168.200.244:37323 (IP=0.0.0.0:636)
slapd[29352]: conn=25 fd=16 TLS established tls_ssf=32 ssf=32
slapd[29352]: conn=25 fd=16 closed (connection lost)

I need "TLS_REQCERT never" on the client to succeed.

ldapsearch is version 2.4.7-3, slapd is version 2.4.7-3, no 
TLSVerifyClient option is set in slapd.conf.

-- 
Niccolo Rigacci
Firenze - Italy




Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#462588; Package slapd. Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #133 received at 462588@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: Russ Allbery <rra@debian.org>, 462588@bugs.debian.org
Subject: Re: Bug#462588: Same problem
Date: Thu, 7 Feb 2008 18:53:22 -0800
On Sun, Feb 03, 2008 at 05:29:47PM -0800, Russ Allbery wrote:
> > I'm pretty sure I don't want to implement support for migrating the full set
> > of OpenSSL cipher specs in shell. :P

> > Do you think converting the above aliases would be good enough coverage?
> > Or do we need to provide some upgrade handling for all the
> > possibilities, and therefore we're doomed to add yet another debconf
> > error message here?  In the latter case I'm probably not going to spend
> > the effort on auto-migrating any of the values.

> I would just comment out the cipher list directive completely on upgrade
> and document the need to correct it manually if desired in NEWS.Debian.
> The most common use of this directive is to restrict use of weak ciphers,
> which GnuTLS doesn't support in the first place.

My natural inclination here then is to still make this a debconf error
message, when one of these TLSCipherSuite lines is detected.  It's not nice
to translators, but an untranslatable NEWS.Debian file isn't nicer to users
than an untranslated debconf template anyway, and with a debconf error we
can directly notify the users whose configs have had to be changed.

> It is unforunate that GnuTLS doesn't support the same general keywords as
> OpenSSL, and it seems like that would be easy enough for GnuTLS to add.
> Maybe a wishlist bug against GnuTLS is in order?

Filed as bug #464625.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org




Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#462588; Package slapd. Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #138 received at 462588@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: Niccolo Rigacci <niccolo@rigacci.org>, 462588@bugs.debian.org
Subject: Re: Bug#462588: [Pkg-openldap-devel] Bug#462588: Fails to start slapd ldaps:/// on upgrade
Date: Fri, 8 Feb 2008 17:12:05 -0800
On Mon, Feb 04, 2008 at 10:03:27AM +0100, Niccolo Rigacci wrote:
> > > However this is strange beacuse LDAP.CONF(5) states that 
> > > TLS_REQCERT "allow" means:

> > >   The server certificate is requested. If no certificate is 
> > >   provided, the session proceeds normally. If a bad certificate 
> > >   is provided, it will be ignored and the session proceeds normally.

> > What client are you using?  If you use ldapsearch -ZZ, for instance, this
> > overrides the TLS_REQCERT value in /etc/ldap/ldap.conf.

> On the client (which is not the slapd server) I use the following 
> command line:

> ldapsearch -x -H ldaps://cheope.mydomain.org/ \
>     -x -D "cn=admin,dc=mydomain,dc=org" -W \
>     -b "dc=mydomain,dc=org"

> Doing it with the alias server name and "TLS_REQCERT allow" 
> results into the error:

> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

> On the server the log reports:

> slapd[29352]: conn=25 fd=16 ACCEPT from IP=192.168.200.244:37323 (IP=0.0.0.0:636)
> slapd[29352]: conn=25 fd=16 TLS established tls_ssf=32 ssf=32
> slapd[29352]: conn=25 fd=16 closed (connection lost)

> I need "TLS_REQCERT never" on the client to succeed.

> ldapsearch is version 2.4.7-3, slapd is version 2.4.7-3, no 
> TLSVerifyClient option is set in slapd.conf.

Ok, I can reproduce this problem.  There are two remaining issues here, that
I can see:

- the behavior of "TLS_REQCERT allow" appears to be equivalent to
  "TLS_REQCERT try" in its handling of wrong certificates
- with GnuTLS, subjectAltName values are not being validated properly

I'll have a look at both of these issues.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org




Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#462588; Package slapd. Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #143 received at 462588@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: Niccolo Rigacci <niccolo@rigacci.org>, 462588@bugs.debian.org
Subject: Re: Bug#462588: [Pkg-openldap-devel] Bug#462588: Fails to start slapd ldaps:/// on upgrade
Date: Fri, 8 Feb 2008 18:06:40 -0800
On Fri, Feb 08, 2008 at 05:12:05PM -0800, Steve Langasek wrote:
> Ok, I can reproduce this problem.  There are two remaining issues here, that
> I can see:

> - the behavior of "TLS_REQCERT allow" appears to be equivalent to
>   "TLS_REQCERT try" in its handling of wrong certificates

I've looked deeper into this, and find that this is not a regression.  The
ldapsearch from OpenLDAP 2.3 linked against OpenSSL would also abort the
connection if given a certificate that didn't match the requested hostname.

If you (or someone else) think this behavior is wrong, please file a
separate bug report; otherwise I defer to the existing upstream behavior.

> - with GnuTLS, subjectAltName values are not being validated properly

And this one is now fixed in subversion.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org




Tags added: pending Request was from vorlon@alioth.debian.org to control@bugs.debian.org. (Sat, 09 Feb 2008 19:12:01 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#462588; Package slapd. Full text and rfc822 format available.

Acknowledgement sent to "T.A. van Roermund" <timo@van-roermund.nl>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #150 received at 462588@bugs.debian.org (full text, mbox):

From: "T.A. van Roermund" <timo@van-roermund.nl>
To: 462588@bugs.debian.org
Subject: Re: Bug#462588: Same problem
Date: Sat, 09 Feb 2008 21:10:31 +0100
Steve Langasek wrote:
> Please try setting 'TLSVerifyClient allow' in your slapd.conf, and let us
> know whether that fixes the problem for you.
> 
> In my tests, I see that the default client certificate handling for 2.4.7
> with GnuTLS does not match what's documented in the slapd.conf manpage; I
> think we have another bug here that will need tracking down.

You are right, this fixes the problem.

Thanks!

Timo






Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#462588; Package slapd. Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #155 received at 462588@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: vedranf@riteh.hr, 462588@bugs.debian.org
Cc: Alex Samad <alex@samad.com.au>, "T.A. van Roermund" <timo@van-roermund.nl>
Subject: Re: [Pkg-openldap-devel] Bug#462588: Same here
Date: Sat, 9 Feb 2008 14:57:49 -0800
Hi Vedran,

On Wed, Jan 30, 2008 at 01:57:37AM +0100, Vedran Furač wrote:
> I have the same problem after upgrading.

I'm not at all certain whether your problem is the same as the others that
have been reported.

I'm uploading a 2.4.7-5 package to unstable now, that fixes no fewer than 4
distinct regressions related to TLS support (all of them included in this
single bug report).  Please test this package when it becomes available on
your mirror, and if you are still having this problem after upgrading, file
a new bug report.

Thanks,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org




Reply sent to Steve Langasek <vorlon@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Alex Samad <alex@samad.com.au>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #160 received at 462588-close@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: 462588-close@bugs.debian.org
Subject: Bug#462588: fixed in openldap2.3 2.4.7-5
Date: Sat, 09 Feb 2008 23:17:04 +0000
Source: openldap2.3
Source-Version: 2.4.7-5

We believe that the bug you reported is fixed in the latest version of
openldap2.3, which is due to be installed in the Debian FTP archive:

ldap-utils_2.4.7-5_amd64.deb
  to pool/main/o/openldap2.3/ldap-utils_2.4.7-5_amd64.deb
libldap-2.4-2-dbg_2.4.7-5_amd64.deb
  to pool/main/o/openldap2.3/libldap-2.4-2-dbg_2.4.7-5_amd64.deb
libldap-2.4-2_2.4.7-5_amd64.deb
  to pool/main/o/openldap2.3/libldap-2.4-2_2.4.7-5_amd64.deb
libldap2-dev_2.4.7-5_amd64.deb
  to pool/main/o/openldap2.3/libldap2-dev_2.4.7-5_amd64.deb
openldap2.3_2.4.7-5.diff.gz
  to pool/main/o/openldap2.3/openldap2.3_2.4.7-5.diff.gz
openldap2.3_2.4.7-5.dsc
  to pool/main/o/openldap2.3/openldap2.3_2.4.7-5.dsc
slapd-dbg_2.4.7-5_amd64.deb
  to pool/main/o/openldap2.3/slapd-dbg_2.4.7-5_amd64.deb
slapd_2.4.7-5_amd64.deb
  to pool/main/o/openldap2.3/slapd_2.4.7-5_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 462588@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steve Langasek <vorlon@debian.org> (supplier of updated openldap2.3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 09 Feb 2008 14:25:55 -0800
Source: openldap2.3
Binary: slapd ldap-utils libldap-2.4-2 libldap-2.4-2-dbg libldap2-dev slapd-dbg
Architecture: source amd64
Version: 2.4.7-5
Distribution: unstable
Urgency: low
Maintainer: Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>
Changed-By: Steve Langasek <vorlon@debian.org>
Description: 
 ldap-utils - OpenLDAP utilities
 libldap-2.4-2 - OpenLDAP libraries
 libldap-2.4-2-dbg - Debugging information for OpenLDAP libraries
 libldap2-dev - OpenLDAP development libraries
 slapd      - OpenLDAP server (slapd)
 slapd-dbg  - Debugging information for the OpenLDAP server (slapd)
Closes: 462099 462588 462688 462987 463149 463442 463472 463971 464718 464719
Changes: 
 openldap2.3 (2.4.7-5) unstable; urgency=low
 .
   [ Updated debconf translations ]
   * Finnish, thanks to Esko Arajärvi <edu@iki.fi>.  Closes: #462688.
   * Galician, thanks to Jacobo Tarrio <jtarrio@trasno.net>.  Closes: #462987.
   * French, thanks to Christian Perrier <bubulle@debian.org>.
     Closes: #463149.
   * Russian, thanks to Yuri Kozlov <kozlov.y@gmail.com>.  Closes: #463442.
   * Czech, thanks to Miroslav Kure <kurem@debian.cz>.  Closes: #463472.
   * German, thanks to Helge Kreutzmann <debian@helgefjell.de>.
     Closes: #464718.
 .
   [ Steve Langasek ]
   * Fix various regressions related to the introduction of GnuTLS:
     - Add new patch, gnutls-ciphers, to fix support for specifying multiple
       ciphers with TLSCipherSuite option in slapd.conf.  Thanks to Kyle
       Moffett <kyle@moffetthome.net> for the patch.  Closes LP: #188200.
     - Add new patch, slapd-tlsverifyclient-default, to set the intended
       default value of "TLSVerifyClient never" in the right place.
     - Add new patch, gnutls-altname-nulterminated, to account for differences
       in how the "length" is returned for commonName vs. subjectAltName.
     - Comment out TLSCipherSuite settings on upgrade from all versions prior
       to 2.4.7-5, and throw a debconf error to the user notifying them of
       this, since all OpenSSL cipher suite values are incompatible with
       GnuTLS.
     Closes: #462588.
   * Add new patch from upstream, entryCSN-backwards-compatibility, to support
     auto-converting entryCSN attributes in a previously supported old format,
     fixing an upgrade failure.  Closes: #462099.
   * Use --retry TERM/10 instead of --retry 10 when stopping slapd, since the
     latter resorts to a SIGKILL and may corrupt backend data; whereas the
     former will exit non-zero if slapd is still running but won't directly
     cause data-loss.  Thanks to Mark McDonald for the patch.  LP: #92139.
   * Fix manpage symlinks in libldap2-dev; thanks to Reuben Thomas for
     reporting.  Closes: #463971.
   * Fix a superfluous space in the debconf templates, due to a trailing space
     in the templates.  Closes: #464719.
Files: 
 dda20b74714310941afb676c3b8e04d9 1411 net optional openldap2.3_2.4.7-5.dsc
 33f5247b6bb470a6cad6d7bfe667742d 139425 net optional openldap2.3_2.4.7-5.diff.gz
 0cec0efeed125da42a9c2c611fa05423 1418626 net optional slapd_2.4.7-5_amd64.deb
 4c1f1cc19b5efdd9ff70fc31d470523d 260620 net optional ldap-utils_2.4.7-5_amd64.deb
 43349a36df7e5af36081f7882b50739f 199082 libs optional libldap-2.4-2_2.4.7-5_amd64.deb
 033933318acb89de8af154634387e2de 289140 libdevel extra libldap-2.4-2-dbg_2.4.7-5_amd64.deb
 cac9449825e9d32204279436a268b11e 834512 libdevel extra libldap2-dev_2.4.7-5_amd64.deb
 c91dcb145d9f3bb980e321965ac12ae6 3530612 net extra slapd-dbg_2.4.7-5_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHri6pKN6ufymYLloRAkKfAKCMRHgmSscSwrTdAMvJMDyBWNRHHACgx0yz
HnvOgzK/IbBPsJTcajefhEI=
=4GkH
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 27 Mar 2008 07:39:25 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 16:26:18 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.