This bugs affects libldap-2.4.-2, at least versions versions 2.4.28
(2.4.28-1.1ubuntu4) and 2.4.31 (2.4.31-1ubuntu2), when compiled against GnuTLS.
The bug exists in latest openldap.org upstream versions from 2.4.28 to 2.4.33
at least; probably since they switched from custom parsing the cipher suite for
GnuTLS to GnuTLS's own. Based on this upstream report,
http://www.openldap.org/its/index.cgi/Incoming?id=6939#themesg
I suspect the bug has existed upstream at least since 2.4.25.
Based on the symptoms and crash reports, I strongly believe
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1026057
https://bugs.launchpad.net/ubuntu/+source/libnss-ldap/+bug/1090554
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=640384
are all the same bug.
To reproduce, I used a simplified ldapsearch-like program, which
connects to an ldap server (ldap:// URIs), then sets the desired
priority (cipher suite) based on a command-line parameter, issues
StartTLS to secure the connection, then does a simple anonymous search.
If the cipher suite is not valid for GnuTLS, the program crashes in
libldap_r-2.4-2. The test program is attached for easier bug
verification. (Note: You need an LDAP server supporting StartTLS to
connect to.)
It seems that in any application that relies on libldap parsing the
cipher suite will crash the same way, when the cipher suite is not valid
for GnuTLS, and the connection involves StartTLS. This includes at least
sssd: put e.g. "ldap_tls_cipher_suite = FOOBAR" and
"ldap_id_use_start_tls = True" in sssd.conf, and use an ldap:// URI, and
sssd will crash.
Correct cipher suites for GnuTLS are very complex to construct; for
example, to allow only AES and CAMELLIA 256-bit ciphers with 160 or
256-bit SHA MACs and RSA key exchange and any compression and any TLS
version (excluding SSH3.0), one needs to use "'NONE:+VERS-TLS1.2:+VERS-
TLS1.1:+VERS-TLS1.0:+COMP-
ALL:+AES-256-CBC:+CAMELLIA-256-CBC:+RSA:+SHA1:+SHA256".
If the Ubuntu OpenLDAP developers and users can confirm the bug, and
that this patch fixes the issue, it would be easier to push the patch
upstream. I do not currently use LDAP on my machines, as I only
investigated the issue to help a friend. So, it does not matter to me
whether the patch is accepted or not, or if the bug is further
investigated or not. I'm very willing to help, though.
** Bug watch added: Debian Bug tracker #640384
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=640384
** Attachment added: "Simple ldapsearch-like program to explore the bug."
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1103353/+attachment/3497490/+files/search.c
** Changed in: openldap (Ubuntu)
Status: Incomplete => New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1103353
Title:
Invalid GnuTLS cipher suite strings causes libldap to crash
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1103353/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
