Your message dated Tue, 24 Jan 2017 23:04:58 +0000
with message-id <e1cwa94-000er8...@fasolo.debian.org>
and subject line Bug#849756: fixed in sssd 1.14.2-2.1
has caused the Debian Bug report #849756,
regarding sssd-ldap fails to connect to ldaps:// due to problem with
non-blocking socket
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
849756: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849756
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: sssd-ldap
Version: 1.14.2-1
Severity: serious
Tags: security
Feel free to downgrade the severity, but as this sends passwords in cleartext
(though in a case that I hope
will never work so not that likely to loose important passwords) and makes me
wonder whether this package can
work at all with any ldaps server, I guessed it might be a suitable severity.
This might be the cause of other "[sdap_process_result] (0x0040): ldap_result
error: [Can't contact LDAP server]" bug reports, but as this error message is
so generic, I'm creating a new bug report.
sssd calls ldap_install_tls on a socket without removing and NON_BLOCKING bits
from it.
This seems to be not supported by the current libldap2-4 version, which returns
LDAP_SUCCESS but later fails.
Due to the way libldap fails the request is then send unencrypted (within the
SSL Stream).
Here it usually happens that sssd sends both the "Client Hello" and an
"Application Data" block (containing unencryted ldap_default_bind_dn and
ldap_default_authtok) before the server can even answer with an hello and the
server than sends (depending when the Application data arrives) either with an
Unexpected Message Fatal Alert or an Unencrypted Data Alert. (The ldap Server
log reports TLS handshake errors, while the on the sssd side one gets
"[sdap_process_result] (0x0040): ldap_result error: [Can't contact LDAP
server]").
Some example data extracted from the output of wireshark:
Transmission Control Protocol, Src Port: 47911 (47911), Dst Port: 636 (636),
Seq: 1, Ack: 1, Len: 150
Secure Sockets Layer
TLSv1.2 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)
Length: 145
Handshake Protocol: Client Hello
Transmission Control Protocol, Src Port: 47911 (47911), Dst Port: 636 (636),
Seq: 151, Ack: 1, Len: 140
Secure Sockets Layer
TLSv1.2 Record Layer: Application Data Protocol: ldap
Content Type: Application Data (23)
Version: TLS 1.2 (0x0303)
Length: 135
Encrypted Application Data:
30818402010160600201030439636e3dxxxxxxxxxxxxxxxx...
Transmission Control Protocol, Src Port: 636 (636), Dst Port: 47911 (47911),
Seq: 1, Ack: 151, Len: 0
Transmission Control Protocol, Src Port: 636 (636), Dst Port: 47911 (47911),
Seq: 1, Ack: 291, Len: 0
Transmission Control Protocol, Src Port: 636 (636), Dst Port: 47911 (47911),
Seq: 1, Ack: 291, Len: 1448
Secure Sockets Layer
TLSv1.2 Record Layer: Handshake Protocol: Server Hello
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 53
Handshake Protocol: Server Hello
Transmission Control Protocol, Src Port: 47911 (47911), Dst Port: 636 (636),
Seq: 291, Ack: 1449, Len: 0
Transmission Control Protocol, Src Port: 636 (636), Dst Port: 47911 (47911),
Seq: 1449, Ack: 291, Len: 2648
[2 Reassembled TCP Segments (3389 bytes): #29(1390), #31(1999)]
Secure Sockets Layer
TLSv1.2 Record Layer: Handshake Protocol: Certificate
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 3384
Handshake Protocol: Certificate
Secure Sockets Layer
TLSv1.2 Record Layer: Handshake Protocol: Server Key Exchange
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 527
Handshake Protocol: Server Key Exchange
Transmission Control Protocol, Src Port: 47911 (47911), Dst Port: 636 (636),
Seq: 291, Ack: 4097, Len: 0
Transmission Control Protocol, Src Port: 636 (636), Dst Port: 47911 (47911),
Seq: 4097, Ack: 291, Len: 216
[2 Reassembled TCP Segments (333 bytes): #31(117), #33(216)]
Secure Sockets Layer
TLSv1.2 Record Layer: Handshake Protocol: Multiple Handshake Messages
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 328
Handshake Protocol: Certificate Request
Handshake Protocol: Server Hello Done
Transmission Control Protocol, Src Port: 47911 (47911), Dst Port: 636 (636),
Seq: 291, Ack: 4313, Len: 0
Transmission Control Protocol, Src Port: 636 (636), Dst Port: 47911 (47911),
Seq: 4313, Ack: 291, Len: 7
Secure Sockets Layer
TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Unexpected Message)
Content Type: Alert (21)
Version: TLS 1.2 (0x0303)
Length: 2
Alert Message
The content of the "Application Data Protocol: ldap" package is plain
non-encrypted data (here a bit redacted):
0``9cn=XXXXXXXXXXXXXXXXXXXX,cn=XXXXXXXXXXXXX,cn=XXXX,ou=XXXXX
MYPASWORD_______________________01.3.6.1.4.1.42.2.27.8.5.1
As I can see it the cause of this is that in
../openldap-2.4.44+dfsg/libraries/libldap/tls2.c
the code is:
#ifdef LDAP_USE_NON_BLOCKING_TLS
/*
* Use non-blocking io during SSL Handshake when a timeout is configured
*/
if ( ld->ld_options.ldo_tm_net.tv_sec >= 0 ) {
ber_sockbuf_ctrl( ld->ld_sb, LBER_SB_OPT_SET_NONBLOCK, sb );
ber_sockbuf_ctrl( sb, LBER_SB_OPT_GET_FD, &sd );
tv = ld->ld_options.ldo_tm_net;
tv0 = tv;
#ifdef HAVE_GETTIMEOFDAY
gettimeofday( &start_time_tv, NULL );
#else /* ! HAVE_GETTIMEOFDAY */
time( &start_time_tv.tv_sec );
start_time_tv.tv_usec = 0;
#endif /* ! HAVE_GETTIMEOFDAY */
}
#endif /* LDAP_USE_NON_BLOCKING_TLS */
ld->ld_errno = LDAP_SUCCESS;
ret = ldap_int_tls_connect( ld, conn );
#ifdef LDAP_USE_NON_BLOCKING_TLS
while ( ret > 0 ) { /* this should only happen for non-blocking io */
[shortened to make it more readable]
}
#endif /* LDAP_USE_NON_BLOCKING_TLS */
if ( ret < 0 ) {
if ( ld->ld_errno == LDAP_SUCCESS )
ld->ld_errno = LDAP_CONNECT_ERROR;
return (ld->ld_errno);
}
ssl = ldap_pvt_tls_sb_ctx( sb );
assert( ssl != NULL );
/*
* compare host with name(s) in certificate
*/
if (ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_NEVER &&
ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_ALLOW) {
ld->ld_errno = ldap_pvt_tls_check_hostname( ld, ssl, host );
if (ld->ld_errno != LDAP_SUCCESS) {
return ld->ld_errno;
}
}
return LDAP_SUCCESS;
}
i.e. libldap expect that if it does not set the fd non-blocking,
ldap_int_tls_connect will not return > 0 (which it does if gnutls_handshare
returns GNUTLS_E_AGAIN).
(and the only place LDAP_USE_NON_BLOCKING_TLS is defined is:
#ifdef LDAP_DEVEL
#define LDAP_USE_NON_BLOCKING_TLS
#endif /* LDAP_DEVEL */
earlier in the same file. Running sssd in an debugger shows that the code is
not compiled in (i.e. it is not defined as expected))
The test of sssd with the problem was done with libldap-2.4-2 version
2.4.44+dfsg-2 and libgnutls30 version 3.5.7-3.
--- End Message ---
--- Begin Message ---
Source: sssd
Source-Version: 1.14.2-2.1
We believe that the bug you reported is fixed in the latest version of
sssd, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 849...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Petter Reinholdtsen <p...@debian.org> (supplier of updated sssd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 24 Jan 2017 22:26:17 +0000
Source: sssd
Binary: sssd sssd-common sssd-ad sssd-ad-common sssd-dbus sssd-ipa sssd-krb5
sssd-krb5-common sssd-ldap sssd-proxy sssd-tools libnss-sss libpam-sss
libipa-hbac0 libipa-hbac-dev libsss-idmap0 libsss-idmap-dev libsss-nss-idmap0
libsss-nss-idmap-dev libsss-sudo libsss-simpleifp0 libsss-simpleifp-dev
libwbclient-sssd libwbclient-sssd-dev python-libipa-hbac
python-libsss-nss-idmap python-sss python3-libipa-hbac python3-libsss-nss-idmap
python3-sss
Architecture: source
Version: 1.14.2-2.1
Distribution: unstable
Urgency: low
Maintainer: Debian SSSD Team <pkg-sssd-de...@lists.alioth.debian.org>
Changed-By: Petter Reinholdtsen <p...@debian.org>
Description:
libipa-hbac-dev - FreeIPA HBAC Evaluator library
libipa-hbac0 - FreeIPA HBAC Evaluator library
libnss-sss - Nss library for the System Security Services Daemon
libpam-sss - Pam module for the System Security Services Daemon
libsss-idmap-dev - ID mapping library for SSSD -- development files
libsss-idmap0 - ID mapping library for SSSD
libsss-nss-idmap-dev - SID based lookups library for SSSD -- development files
libsss-nss-idmap0 - SID based lookups library for SSSD
libsss-simpleifp-dev - SSSD D-Bus responder helper library -- development files
libsss-simpleifp0 - SSSD D-Bus responder helper library
libsss-sudo - Communicator library for sudo
libwbclient-sssd - SSSD libwbclient implementation
libwbclient-sssd-dev - SSSD libwbclient implementation -- development files
python-libipa-hbac - Python bindings for the FreeIPA HBAC Evaluator library
python-libsss-nss-idmap - Python bindings for the SID lookups library
python-sss - Python module for the System Security Services Daemon
python3-libipa-hbac - Python3 bindings for the FreeIPA HBAC Evaluator library
python3-libsss-nss-idmap - Python3 bindings for the SID lookups library
python3-sss - Python3 module for the System Security Services Daemon
sssd - System Security Services Daemon -- metapackage
sssd-ad - System Security Services Daemon -- Active Directory back end
sssd-ad-common - System Security Services Daemon -- PAC responder
sssd-common - System Security Services Daemon -- common files
sssd-dbus - System Security Services Daemon -- D-Bus responder
sssd-ipa - System Security Services Daemon -- IPA back end
sssd-krb5 - System Security Services Daemon -- Kerberos back end
sssd-krb5-common - System Security Services Daemon -- Kerberos helpers
sssd-ldap - System Security Services Daemon -- LDAP back end
sssd-proxy - System Security Services Daemon -- proxy back end
sssd-tools - System Security Services Daemon -- tools
Closes: 849756
Changes:
sssd (1.14.2-2.1) unstable; urgency=low
.
* Non-maintainer upload with maintainer approval.
* ldap-blocking.diff: Fix ldaps connections by removing NON_BLOCKING from
socket options (Closes: 849756). Patch from upstream pull request #67.
Checksums-Sha1:
276b1256104dbfb604e499196fadbfe33b469213 4402 sssd_1.14.2-2.1.dsc
90386fab818d5ec7b3199e9edebf791b7bd5e849 37633 sssd_1.14.2-2.1.diff.gz
Checksums-Sha256:
9840a4f2a7c2abf5c500db521f2d54c0224900b5a628ca2404289dfde48260c1 4402
sssd_1.14.2-2.1.dsc
55af6db3aa0edd30e9b254ae46e7ab2191ad1963d09df2f9820e88a017cc0b29 37633
sssd_1.14.2-2.1.diff.gz
Files:
43c12cc1b9ad64a88f37d1f72cf73b87 4402 utils extra sssd_1.14.2-2.1.dsc
3eb998aadb95c0b36dcc65aa4c15726b 37633 utils extra sssd_1.14.2-2.1.diff.gz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBWIfXMIEoCqCHuvsOAQICJBAAqJZNABCl1pAKZM38wxZah+wFPKJBpv/Y
9WkWJ3BpMLW1IRRErYRNxTWk1Gn45saWw8pJDzAqVVjSxtsH7Wd4fYtAkqqyfcQH
eazMi9y5dBGealjlSGJ5FXNimcRHFs7D1GracfQRAbDJN1c2TzD86UFXA5ktkaGB
eyyk72C63opAJQhiltKHjMi2FUKo2m51LN6OM6ljso4gqk60c5fznoq4DjQ40u8N
YhIfgCn8CePyfcqbNv5QRqyjTE04TaWszM4r5qGngNYCZNceLrHK7Y6QqjbV65D6
T/PI8b7D7cHJ5XkJcAeV5LwuOCTraf6itKmElCRPBFmGOm9wd65lrTEhdi5JDXLO
9Ewrdrg9FhirevlHCVGcOtvGAWJ/q1SknujsowfgheuiL9NLCMZnpHvo4nmLv9mW
7j4t6cOZrwefxgg37/Lj9tiaWADsQD2BHJOTvHqf7Ac7QzKi35NhovtVhjCtgqH8
ba49E2sttrM4405J1NL5nPVcDdnR6lcNf3e3mmvi243/DiIW55DI0kZ9s0PlQvNH
nLWUI1hNyT0SltR2RJ0CMRafYEpQacx72DwPhosuWvDKzq/XBKRBs22DmLr1z6x5
AHAz2WRAfuVqR7p7VePqo5AdRlax6OHNVj766DMwULD0JKinHRd6RX9+BX/GRAE6
X68LZE1tytk=
=xEWR
-----END PGP SIGNATURE-----
--- End Message ---
