Re: [openssl.org #1292] SSL_add_dir_cert_subjects_to_stack does not check for read access of file, breaking TLS enabled LDAP clients

Tue, 14 Mar 2006 23:45:51 -0800 

[EMAIL PROTECTED] via RT wrote:
Hi, 
initial report at:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=185080 Imho it's more a OpenSSL than a OpenLDAP client problem. 


The use of TLS_CACERTDIR / TLSCACertificatePath is discouraged in all of 
the OpenLDAP documentation.



See slapd.conf(5), ldap.conf(5) man pages, and the OpenLDAP Admin Guide 
section 12.2: http://www.openldap.org/doc/admin23/tls.html



Regards,

 Peter 

Description of problem: 

During tracking down, why a LDAP enabled postfix cannot lookup via TLS 
enabled
LDAP client I found that openssl function SSL_add_dir_cert_subjects_to_stack 
is
very optimistic relating to the files found in a specified directory. 


Version-Release number of selected component (if applicable):
openssl-0.9.7a-43.4
also openssl-0.9.7.i (latest 0.9.7 release)

also openssl-0.9.8.a (latest 0.9.8 release) 


in conjunction with
openldap-2.2.13-4
also openldap-2.2.30 (latest 2.2 release)

also openldap-2.3.20 (latest 2.3 release) 




How reproducible: 

Always 


Steps to Reproduce:
1. Create a directory for local PKI storage, e.g.

/etc/pki 

2. Store local CA, local server certificates and local keys into this 
directory 


3. Set proper permissions to keys, e.g.
chmod o-rwx *.key.pem
#  ll /etc/pki/
total 120
lrwxrwxrwx  1 root root   23 Sep 14 15:42 592fcc04.0 -> ca.crt
 -r--r--r--  1 root root 1834 Sep 14 15:39 ca.crt
 -r--r--r--  1 root root 2529 Sep 14 15:39 AE-CA-Class4-2005-A.crt
 -r--------  1 root root 5875 Sep 14 15:45 ca+cert+key.pem
 -r--r--r--  1 root root 4196 Sep 14 16:07 ca+cert.pem
 -r--r--r--  1 root root 2362 Sep 14 15:37 cert.crt
 -r--r-----  1 root root 4041 Sep 14 15:50 cert+key.pem
 -r--r-----  1 root ldap 1679 Sep 14 15:37 key.pem (note: group=ldap for LDAP

server, which reads key file for server TLS after changing the user to 
"ldap") 


4. Configure /etc/openldap/slapd.conf for TLS like
TLSCACertificateFile    /etc/pki/ca.crt
TLSCACertificatePath    /etc/pki
TLSCertificateFile      /etc/pki/crt.crt

TLSCertificateKeyFile   /etc/pki/key.pem 



5. Configure /etc/openldap/ldap.conf related
URI     ldaps://ldapserver/
#URI    ldap://ldapserver/
BASE dc=example,dc=com

TLS_CACERTDIR   /etc/pki    # <- important! 


--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           [EMAIL PROTECTED]






















					Reply via email to