Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LDAPS does not work with private TLS CA; HTTPS works #11372

Closed
vlkl-sap opened this issue Jun 22, 2023 · 6 comments
Closed

LDAPS does not work with private TLS CA; HTTPS works #11372

vlkl-sap opened this issue Jun 22, 2023 · 6 comments
Labels
LDAP TLS

Comments

@vlkl-sap
Copy link

vlkl-sap commented Jun 22, 2023
edited

Hello,

I suddenly have trouble with LDAPS requests to a server that uses a private TLS CA. The LDAPS requests used to work ~18 months ago,

HTTPS requests to servers that use the same TLS CA work.

Thanks!

I did this

Original LDAPS request (failing)

curl "ldaps://<ldap_server_using_private_ca>/<ldap_query>"

curl: (58) LDAP local: ERROR PEM CA cert not set

Demo HTTPS request (TLS succeeding, but server does not speak HTTPS)

curl https://<ldap_server_using_private_ca>:636

curl: (56) Recv failure: Connection reset by peer

Demo HTTPS request without trusted CA cert (TLS failing as expected)

curl --capath . https://<ldap_server_using_private_ca>:636

curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

curl/libcurl version

curl 8.0.1 (x86_64-suse-linux-gnu) libcurl/8.0.1 OpenSSL/1.0.2p-fips zlib/1.2.11 libssh/0.8.7/openssl/zlib nghttp2/1.39.2
Release-Date: 2023-03-20
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS GSS-API HSTS HTTP2 HTTPS-proxy IPv6 Kerberos Largefile libz NTLM NTLM_WB SPNEGO SSL TLS-SRP UnixSockets

operating system

Linux <...> 4.12.14-122.159-default #1 SMP Fri May 5 08:15:43 UTC 2023 (46caa9e) x86_64 x86_64 x86_64 GNU/Linux

PRETTY_NAME="SUSE Linux Enterprise Server 12 SP5"
@bagder
Copy link
Member

bagder commented Jun 22, 2023

The LDAPS requests used to work ~18 months ago,

So how did all the involved components change in the mean time? libcurl version, TLS library version, OpenLDAP version and CA store?

@bagder
Copy link
Member

bagder commented Jun 22, 2023
edited

The OpenLDAP related code in curl does not seem to make any effort to set the provided paths for this. 😢

I can't even figure out how to use the OpenLDAP API to point out a custom CA store. I can only find documentation mentioning setting a different path in /usr/local/etc/openldap/ldap.conf but I hope this is not the only way. 🤔

@hyc: any ideas/proposal of where to look?

@vlkl-sap
Copy link
Author

Thanks. Here is what I think has changed. Pulling this data out of the package manager log is finicky, so I cannot guarantee that I did not make a mistake. 🫤

package working failing
libcurl4 7.60.0-11.34.2 8.0.1-11.65.2
libldap-2_4-2 2.4.41-22.2.3 2.4.41-22.19.1
libopenssl1_0_0 1.0.2p-3.45.1 1.1.1d-2.84.1

@bagder
Copy link
Member

bagder commented Jun 22, 2023

I believe #11374 fixes it.

bagder added a commit that referenced this issue Jun 22, 2023
@bagder
configure: add check for ldap_init_fd
9871230 
... as otherwise the configure script will say it is OpenLDAP in the
summary, but not set the USE_OPENLDAP define, therefor not using the
intended OpenLDAP code paths.

Regression since 4d73854 (7.85.0)
Fixes #11372
Closes #11374
Reported-by: vlkl-sap on github
@vlkl-sap
Copy link
Author

Ah, great to hear! I cannot realistically build curl from source, but I can test it once it hits curlimages/curl.
Thanks!

@hyc
Copy link
Contributor

hyc commented Jun 22, 2023

The OpenLDAP related code in curl does not seem to make any effort to set the provided paths for this. cry

I can't even figure out how to use the OpenLDAP API to point out a custom CA store. I can only find documentation mentioning setting a different path in /usr/local/etc/openldap/ldap.conf but I hope this is not the only way. thinking

@hyc: any ideas/proposal of where to look?

Sounds like you've already fixed this, but to answer your question, you want to read the ldap_set_option(3) manpage.

@bagder bagder closed this as completed in 0ac6108 Jun 23, 2023
bch pushed a commit to bch/curl that referenced this issue Jul 19, 2023
@bagder @bch
configure: add check for ldap_init_fd
fada941 
... as otherwise the configure script will say it is OpenLDAP in the
summary, but not set the USE_OPENLDAP define, therefor not using the
intended OpenLDAP code paths.

Regression since 4d73854 (7.85.0)
Fixes curl#11372
Closes curl#11374
Reported-by: vlkl-sap on github
ptitSeb pushed a commit to wasix-org/curl that referenced this issue Sep 25, 2023
@bagder @ptitSeb
configure: add check for ldap_init_fd
259d715 
... as otherwise the configure script will say it is OpenLDAP in the
summary, but not set the USE_OPENLDAP define, therefor not using the
intended OpenLDAP code paths.

Regression since 4d73854 (7.85.0)
Fixes curl#11372
Closes curl#11374
Reported-by: vlkl-sap on github
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
LDAP TLS
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bagder @hyc @vlkl-sap