NetBSD Problem Report #53675
From brad@anduin.eldar.org Thu Oct 18 23:50:24 2018
Return-Path: <brad@anduin.eldar.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 0E1DE7A1CB
for <gnats-bugs@gnats.NetBSD.org>; Thu, 18 Oct 2018 23:50:24 +0000 (UTC)
Message-Id: <201810182350.w9INoJEL027804@anduin.eldar.org>
Date: Thu, 18 Oct 2018 19:50:19 -0400 (EDT)
From: brad@anduin.eldar.org
Reply-To: brad@anduin.eldar.org
To: gnats-bugs@NetBSD.org
Subject: ldaps appears to be broken
X-Send-Pr-Version: 3.95
>Number: 53675
>Category: lib
>Synopsis: ldaps appears to be broken
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: lib-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Thu Oct 18 23:55:00 +0000 2018
>Last-Modified: Thu Aug 08 12:10:01 +0000 2019
>Originator: brad@anduin.eldar.org
>Release: NetBSD 8.99.25
>Organization:
Eldar.org
>Environment:
System: NetBSD localhost 8.99.25 NetBSD 8.99.25 (XEN3_DOMU) #0: Mon Oct 8 20:54:57 EDT 2018 brad@samwise.nat.eldar.org:/lhome/DIST/OBJ/sys/arch/amd64/compile/XEN3_DOMU amd64
Architecture: x86_64
Machine: amd64
>Description:
Somewhere between 8.0 and -current, ldaps appears to have broken. Non TLS connections work fine.
>How-To-Repeat:
The server is an OpenLDAP server version 2.4.45 from pkgsrc running on
NetBSD 7.1_STABLE. The certificate is a real cert from Let's Encrypt.
The client is simply ldapsearch from the base system. The server is
pretty generous in the versions of SSL/TLS it supports for LDAP.
A working example:
ldapsearch -H 'ldaps://ldap.something.com' -D 'uid=nssread,ou=Internal,dc=something,dc=com' -w 'NONONONONONONONONONO' -b 'dc=something,dc=com' 'uid=brad'
produces the desired node and the server says:
<20.7>Oct 18 19:35:33 ldap.something.com slapd[10386]: conn=116750 fd=73 ACCEPT from IP=10.1.100.235:65534 (IP=0.0.0.0:636)
<20.7>Oct 18 19:35:33 ldap.something.com slapd[10386]: conn=116750 fd=73 TLS established tls_ssf=256 ssf=256
<20.7>Oct 18 19:35:33 ldap.something.com slapd[10386]: conn=116750 op=0 BIND dn="uid=nssread,ou=Internal,dc=something,dc=com" method=128
<20.7>Oct 18 19:35:33 ldap.something.com slapd[10386]: conn=116750 op=0 BIND dn="uid=nssread,ou=Internal,dc=something,dc=com" mech=SIMPLE ssf=0
A not working example:
ldapsearch -H 'ldaps://ldap.something.com' -D 'uid=nssread,ou=Internal,dc=something,dc=com' -w 'NONONONONONONONONONO' -b 'dc=something,dc=com' 'uid=brad'
produces the following error:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
ldapsearch will often produce this error for a lot of reasons. The server says:
<20.7>Oct 18 19:38:48 ldap.something.com slapd[10386]: conn=116761 fd=77 ACCEPT from IP=10.1.100.6:65534 (IP=0.0.0.0:636)
<20.7>Oct 18 19:38:48 ldap.something.com slapd[10386]: conn=116761 fd=77 closed (TLS negotiation failure)
An annoying thing is that openssl s_client -connect ... from the
-current system manages to work fine in establishing a simple TLS
connection.
>Fix:
Don't know, but I can help debug the issue.
>Audit-Trail:
From: coypu@sdf.org
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: lib/53675: ldaps appears to be broken
Date: Tue, 6 Aug 2019 07:25:22 +0000
I recommend reporting this problem upstream.
- Is the problem to do with too new OpenSSL, or to do with netbsd
changes?
Comparing to another OS that uses the same major version OpenSSL will be
good (e.g. some of the up to date linuxes)
From: Brad Spencer <brad@anduin.eldar.org>
To: gnats-bugs@netbsd.org
Cc: lib-bug-people@netbsd.org, gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Subject: Re: lib/53675: ldaps appears to be broken
Date: Tue, 06 Aug 2019 12:21:10 -0400
coypu@sdf.org writes:
> The following reply was made to PR lib/53675; it has been noted by GNATS.
>
> From: coypu@sdf.org
> To: gnats-bugs@netbsd.org
> Cc:
> Subject: Re: lib/53675: ldaps appears to be broken
> Date: Tue, 6 Aug 2019 07:25:22 +0000
>
> I recommend reporting this problem upstream.
> - Is the problem to do with too new OpenSSL, or to do with netbsd
> changes?
>
> Comparing to another OS that uses the same major version OpenSSL will be
> good (e.g. some of the up to date linuxes)
>
I do not think that this is a upstream problem.
I have set up a OpenLDAP server on the following system types compiled
from pkgsrc 2018Q4:
NetBSD - 8.0_STABLE
OpenSSL 1.0.2k 26 Jan 2017
ldapsearch: @(#) $OpenLDAP: ldapsearch 2.4.23 $
(LDAP library: OpenLDAP 20439)
NetBSD - 9.0_BETA (upgraded system from 8.0_STABLE)
OpenSSL 1.1.1c 28 May 2019
ldapsearch: @(#) $OpenLDAP: ldapsearch 2.4.23 $
(LDAP library: OpenLDAP 20439)
(from the installed 8.0_STABLE 2018Q4 pkgsrc packages)
ldapsearch: @(#) $OpenLDAP: ldapsearch 2.4.47 (Feb 13 2019 05:07:27) $
brad@gimli.nat.eldar.org:/lhome/WORK/databases/openldap-client/work/openldap-2.4.47/clients/tools
(LDAP library: OpenLDAP 20447)
A 389DS system was set up and configured on this system:
CentOS 7.6.1810 - 3.10.0-957.27.2.el7.x86_64
OpenSSL 1.0.2k-fips 26 Jan 2017
openldap-clients.x86_64 2.4.44-21.el7_6 @updates
In addition to testing from all of the above systems, I tested the
ldapsearch client from the following:
ArchLinux - 5.2.6-arch1-1-ARCH
OpenSSL 1.1.1c 28 May 2019
openldap 2.4.47-3
FreeBSD - 12.0-RELEASE
OpenSSL 1.1.1a-freebsd 20 Nov 2018
openldap-client-2.4.47
NetBSD - 8.99.23
OpenSSL 1.1.0h 27 Mar 2018
ldapsearch: @(#) $OpenLDAP: ldapsearch 2.4.23 $
(LDAP library: OpenLDAP 20439)
In ALL cases a recent NetBSD-current (libcrypto.so.14) or NetBSD
9.0_BETA will fail to perform an ldapsearch via TLS to either a OpenLDAP
server or a 389DS server when using the base OS ldapsearch binary. In
all other cases, every other system of every other type works fine. In
addition the NetBSD 9.0_BETA system will work fine too if it uses
ldapsearch from in installed pkgsrc that was present on the system. In
that case, /usr/pkg/bin/ldapsearch was from the 8.0_STABLE era and is
compiled against libcrypto.so.12 which is still present on the system.
To mess with ones mind even more, openssl s_client works just fine on
9.0_BETA, it is just the base OS ldapsearch does not (and neither does
pam_ldap or nss_ldap).
I think that this ruled out everything but the situation where the base
ldap client code is too old (but compiled anyway) for the openssl
present in the base OS.
What I am unable to try right now is a pkgsrc openldap-client (which may
be a newer ldap client) compiled against 9.0_BETA or -current. This
would eliminate the ldap client code from the base OS, but would use the
newer openssl.
Further in all cases, proper certificates were obtained from Let's
Encrypt and the needed CA anchors were put into place in the OSs as
needed. All system pass the openssl s_client test and validate the
certificate chain (as is required by OpenLDAP client code) without any
special flags to openssl s_client.
--
Brad Spencer - brad@anduin.eldar.org - KC8VKS - http://anduin.eldar.org
From: Brad Spencer <brad@anduin.eldar.org>
To: gnats-bugs@netbsd.org
Cc: lib-bug-people@netbsd.org, gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Subject: Re: lib/53675: ldaps appears to be broken
Date: Thu, 08 Aug 2019 08:07:49 -0400
coypu@sdf.org writes:
> The following reply was made to PR lib/53675; it has been noted by GNATS.
>
> From: coypu@sdf.org
> To: gnats-bugs@netbsd.org
> Cc:
> Subject: Re: lib/53675: ldaps appears to be broken
> Date: Tue, 6 Aug 2019 07:25:22 +0000
>
> I recommend reporting this problem upstream.
> - Is the problem to do with too new OpenSSL, or to do with netbsd
> changes?
>
> Comparing to another OS that uses the same major version OpenSSL will be
> good (e.g. some of the up to date linuxes)
>
I did some more work on this bug.
I got a 9.0_BETA system built with a pkgsrc openldap which is compiled
against the system libcrypto.so (1.1.1c) and it works fine with ldaps.
This mostly leads me to conclude that the intree openldap version, which
appears to be 2.4.45 (labeled 2.4.23), should be updated. An
alternative might be to set something like PREFER_PKGSRC=openldap-client
when building packages, but that would still leave a broken intree set
of ldap utilities. As it stands right now anything built with pkgsrc
that uses the ldap client and expects working TLS will fail.
There are entries in the CHANGES file for openldap 2.4.47 (the pkgsrc
version) that seem to indicate that support for OpenSSL >= 1.1.1a was
added after 2.4.45.
OpenLDAP 2.4.46 Release (2018/03/22)
Fixed libldap OpenSSL 1.1.1 compatibility with BIO_method (ITS#8791)
I won't have time in the near term, personally, to try and get a new
version into the tree, but I highly advocate for this update. I can
probably test any changes.
--
Brad Spencer - brad@anduin.eldar.org - KC8VKS - http://anduin.eldar.org
(Contact us)
$NetBSD: query-full-pr,v 1.43 2018/01/16 07:36:43 maya Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2017
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home