Failed to access LDAP server when a valid certificate is at <hash>.1+

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Failed to access LDAP server when a valid certificate is at <hash>.1+

Misaki Miyashita
Hi,

We encountered a problem using OpenLDAP with OpenSSL when there were
more than one certificate with the same subject.

In our test setup, there were three self-signed certificates with the
same subject, two of which were expired and one was valid.
When the valid certificate is at <hash>.0, things work fine.

However, when an invalid certificate is at <hash>.0, it fails to connect
to the LDAP server even if the valid certificate is available at
<hash>.1 or <hash>.2.

# openldapsearch -H <server>:636  -x -b ""  -s base objectclass=\*
namingcontexts
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

The trace of the process shows that all 3 certificates were opened but
X509_verify_cert() returns 0 when an invalid certificate is at <hash>.0.

Does OpenSSL stop searching for a valid certificate when it finds a
certificate with matching DN?

Thank you,

-- misaki
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Failed to access LDAP server when a valid certificate is at <hash>.1+

Viktor Dukhovni


On Oct 21, 2017, at 11:20 AM, Misaki Miyashita <[hidden email]> wrote:

> We encountered a problem using OpenLDAP with OpenSSL when there were more than one certificate with the same subject.
>
> Does OpenSSL stop searching for a valid certificate when it finds a certificate with matching DN?

Yes, when a matching issuer is found in the trust store, but is expired
no alternative certificates will be tested.  You need to remove outdated
issuer certificates from your trust store before they expire.

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Failed to access LDAP server when a valid certificate is at <hash>.1+

Misaki Miyashita
Thanks for the reply, Viktor.

Is it possible to keep searching for a valid certificate if the first
matching certificate was not valid?
Our customer claims that the NSS Mozilla didn't have this issue, so this
is considered a regression for us.

Best Regards,

-- misaki

On 10/21/2017 3:21 PM, Viktor Dukhovni wrote:

>
> On Oct 21, 2017, at 11:20 AM, Misaki Miyashita <[hidden email]> wrote:
>
>> We encountered a problem using OpenLDAP with OpenSSL when there were more than one certificate with the same subject.
>>
>> Does OpenSSL stop searching for a valid certificate when it finds a certificate with matching DN?
> Yes, when a matching issuer is found in the trust store, but is expired
> no alternative certificates will be tested.  You need to remove outdated
> issuer certificates from your trust store before they expire.
>

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Failed to access LDAP server when a valid certificate is at <hash>.1+

Viktor Dukhovni
In reply to this post by Viktor Dukhovni


> On Jan 8, 2018, at 5:46 PM, Misaki Miyashita <[hidden email]> wrote:
>
> I would like to suggest the following fix so that a valid certificate at <hash>.x can be recognized during the cert validation even when <hash>.0 is linking to a bad/expired certificate.  This may not be the most elegant solution, but it is a minimal change with low impact to the rest of the code.

The patch looks wrong to me.  It seems to have a memory leak.
It is also not clear that with CApath all the certificates will
already be loaded, so the iterator may not find the desired
matching element.

> Could I possibly get a review on the change? and possibly be considered to be integrated to the upstream?
> (This is for the 1.0.1 branch)

The 1.0.1 branch is no longer supported.

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Failed to access LDAP server when a valid certificate is at <hash>.1+

Misaki Miyashita
Thank you so much for the review, Viktor.

On 1/8/2018 5:57 PM, Viktor Dukhovni wrote:
>> On Jan 8, 2018, at 5:46 PM, Misaki Miyashita <[hidden email]> wrote:
>>
>> I would like to suggest the following fix so that a valid certificate at <hash>.x can be recognized during the cert validation even when <hash>.0 is linking to a bad/expired certificate.  This may not be the most elegant solution, but it is a minimal change with low impact to the rest of the code.
> The patch looks wrong to me.  It seems to have a memory leak.
> It is also not clear that with CApath all the certificates will
> already be loaded, so the iterator may not find the desired
> matching element.

I will look into the code to see if there is a memory leak issue.
However, we have tested internally and all certificates (valid and
invalid) were loaded, and the suggested fix is able to identify the
matching valid certificate.

>
>> Could I possibly get a review on the change? and possibly be considered to be integrated to the upstream?
>> (This is for the 1.0.1 branch)
> The 1.0.1 branch is no longer supported.

Sorry, that was a typo :-(  I meant the 1.0.2 branch.

-- misaki
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users