On Tue, Apr 30, 2024 at 05:55:15AM +0200, Andreas Metzler wrote: > On 2024-04-29 Elliott Mitchell <ehem+deb...@m5p.com> wrote: > > Package: libgnutls30 > > Version: 3.7.9-2+deb12u2 > > Severity: important > > > Long story to finding this one. Trying to get LDAP setup on this > > network. As a recent deployment it seemed appropriate to use IPv6. > > > From `nslcd` on clients I was getting the message: > > nslcd[12345]: [1a2b3c] <group/member="root"> failed to bind to LDAP server > > ldaps://[fd12:3456:7890:abcd::3]/: Can't contact LDAP server: The TLS > > connection was non-properly terminated.: Resource temporarily unavailable > > > Running `nslcd` in debug mode failed to yield any additional useful > > information. > > > Once I finally figured out `slapd`'s debug mode ('-h ldaps:/// ldapi:///' > > is two arguments, the ldaps and ldapi are a single argument). I got > > traces from `slapd`: (serial numbers filed off) > > > tls_read: want=5, got=5 > > 0000: 16 03 01 01 8f > > > tls_read: want=399, got=399 > > 0160: ............fd12 > > 0170: :3456:7890:abcd: > > 0180: :3.-.........@. > > TLS: can't accept: A disallowed SNI server name has been received.. > > connection_read(13): TLS accept failure error=-1 id=1005, closing > > > Further tracing of the error message appears to point to the function > > `_gnutls_dnsname_is_valid()` in gnutls/lib/str.h. Seems libgnutls30 is > > incompatible with numeric IPv6 addresses. > > > While IPv6-only hosts are presently uncommon, there is now quite a bit of > > IPv6 traffic in many places. I think this is worthy of having a severity > > of "critical" as "bookworm" may remain as "stable" past when there is > > more IPv6 traffic than IPv4 traffic. For "trixie" this seems very > > likely. > [...] > > Good morning, > > I guess you used the IPv6 address as either CN or Subject Alternative > Name. Both take names, not IP addresses. There is a different field for > IP addresses. > > gnutls-cli --port 636 fd12:3456:7890:abcd::3 > > will probably give more info. > > FWIW I have just generated a local test certificate with "IPAddress:" > set to '::1' and things work for me as expected.
Hmm, `gnutls-cli --port ldaps` gave a different result. The connection successfully established and I was left being able to type to `slapd`. Unfortunately that causes there to be 3 packages which could be the one responsible for the problem. Could be libgnutls30 as I originally suspected. Yet `slapd` and `nslcd` could also be responsible for the problem. The string "A disallowed SNI server name has been received." is found in `libgnutls.so.30`. The string "connection_read(%d): input error=%d id=%lu, closing." is found in `/usr/sbin/slapd`. Anything further is purely guesswork. -- (\___(\___(\______ --=> 8-) EHM <=-- ______/)___/)___/) \BS ( | ehem+sig...@m5p.com PGP 87145445 | ) / \_CS\ | _____ -O #include <stddisclaimer.h> O- _____ | / _/ 8A19\___\_|_/58D2 7E3D DDF4 7BA6 <-PGP-> 41D1 B375 37D0 8714\_|_/___/5445