Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1027830: openssl: starttls fails on our LDAP server on bullseye, but it works on buster
145 views
Skip to first unread message
Jonathan
Jan 3, 2023, 4:10:03 PM1/3/23
to
Package: openssl
Version: 1.1.1k-1
Severity: normal
Dear Maintainer,
* What led up to the situation?
After trying to update to bullseye, connecting to our LDAP server no longer works, both with pam_ldap package as well as using ldapsearch from ldap-utils.
* What exactly did you do (or not do) that was effective (or
ineffective)?
On Debian 9 or 10, or on Ubuntu 22.04, our configuration works and ldapsearch with the -ZZ flag works.
On Debian 11, it does not. I've tried installing the version of the openssl package that Debian 10 uses on a Debian 11 system, but still it didn't work.
Querying the server with the following command works perfectly:
openssl s_client -starttls ldap -connect <hostname>:<port>
The output of this command says amongst other things "SSL handshake has read 4692 bytes and written 436 bytes. Verification: OK" and lists the full certificate chain.
If adding the -showcerts flag, all certificates in the chain are shown succesfully.
* What was the outcome of this action?
ldapsearch gives the following output:
ldap_start_tls: Connect error (-11)
additional info: (unknown error code)
* What outcome did you expect instead?
It should query the LDAP server and successfully return data.
-- System Information:
Debian Release: 11.0
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.15.83-1-pve (SMP w/1 CPU thread)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages openssl depends on:
ii libc6 2.31-13
ii libssl1.1 1.1.1k-1
openssl recommends no packages.
Versions of packages openssl suggests:
ii ca-certificates 20210119
-- no debconf information
Version: 1.1.1k-1
Severity: normal
Dear Maintainer,
* What led up to the situation?
After trying to update to bullseye, connecting to our LDAP server no longer works, both with pam_ldap package as well as using ldapsearch from ldap-utils.
* What exactly did you do (or not do) that was effective (or
ineffective)?
On Debian 9 or 10, or on Ubuntu 22.04, our configuration works and ldapsearch with the -ZZ flag works.
On Debian 11, it does not. I've tried installing the version of the openssl package that Debian 10 uses on a Debian 11 system, but still it didn't work.
Querying the server with the following command works perfectly:
openssl s_client -starttls ldap -connect <hostname>:<port>
The output of this command says amongst other things "SSL handshake has read 4692 bytes and written 436 bytes. Verification: OK" and lists the full certificate chain.
If adding the -showcerts flag, all certificates in the chain are shown succesfully.
* What was the outcome of this action?
ldapsearch gives the following output:
ldap_start_tls: Connect error (-11)
additional info: (unknown error code)
* What outcome did you expect instead?
It should query the LDAP server and successfully return data.
-- System Information:
Debian Release: 11.0
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.15.83-1-pve (SMP w/1 CPU thread)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages openssl depends on:
ii libc6 2.31-13
ii libssl1.1 1.1.1k-1
openssl recommends no packages.
Versions of packages openssl suggests:
ii ca-certificates 20210119
-- no debconf information
Sebastian Andrzej Siewior
Jan 4, 2023, 5:30:04 AM1/4/23
to
On 2023-01-03 20:21:57 [+0000], Jonathan wrote:
> Package: openssl
Sebastian
> Package: openssl
> * What led up to the situation?
>
> After trying to update to bullseye, connecting to our LDAP server no longer works, both with pam_ldap package as well as using ldapsearch from ldap-utils.
What happens with if you add "-d -1" to ldapsearch?
>
> After trying to update to bullseye, connecting to our LDAP server no longer works, both with pam_ldap package as well as using ldapsearch from ldap-utils.
Sebastian
Sebastian Andrzej Siewior
Jan 19, 2023, 2:20:04 PM1/19/23
to
control: reassign -1 ldap-utils 2.4.57+dfsg-3
On 2023-01-04 13:50:53 [+0000], Jonathan Rietveld wrote:
> We've since found out that installing libldap-common resolves our
> issue, as others
> (https://github.com/wheelybird/ldap-user-manager/issues/172 and
> https://github.com/docker-mailserver/docker-mailserver/issues/2340)
> found out. This package is installed by default on buster (even before
> installing any ldap-related packages), but not on bullseye.
>
> Perhaps it might make sense to add libldap-common as a dependency for
> other packages like libnss-ldap, pam_ldap or ldap-utils on bullseye?
Based on Jonathan's investigation, I reasign the bug to
openldap/ldap-utils since it appears it has to depend on libldap-common
in order to get TLS to work with ceritificate validation. It has only
recommends via libldap-*.
This poped up on the openssl package but it appears to use gnutls stack
instead.
> Kind regards,
>
> Jonathan
Sebastian
On 2023-01-04 13:50:53 [+0000], Jonathan Rietveld wrote:
> We've since found out that installing libldap-common resolves our
> issue, as others
> (https://github.com/wheelybird/ldap-user-manager/issues/172 and
> https://github.com/docker-mailserver/docker-mailserver/issues/2340)
> found out. This package is installed by default on buster (even before
> installing any ldap-related packages), but not on bullseye.
>
> Perhaps it might make sense to add libldap-common as a dependency for
> other packages like libnss-ldap, pam_ldap or ldap-utils on bullseye?
Based on Jonathan's investigation, I reasign the bug to
openldap/ldap-utils since it appears it has to depend on libldap-common
in order to get TLS to work with ceritificate validation. It has only
recommends via libldap-*.
This poped up on the openssl package but it appears to use gnutls stack
instead.
> Kind regards,
>
> Jonathan
Sebastian
Sebastian Andrzej Siewior
Jan 19, 2023, 3:40:03 PM1/19/23
to
On 2023-01-19 12:02:52 [-0800], Ryan Tandy wrote:
> Hello Jonathan and Sebastian.
Hi Ryan,
> In any case I believe the use of Recommends is Policy-compliant since there
> are myriad ways to specify the trusted CAs and the default ldap.conf setting
> is only for convenience.
It sounds reasonable. Thank you for the detailed explanation.
> thanks,
> Ryan
Sebastian
> Hello Jonathan and Sebastian.
Hi Ryan,
> In any case I believe the use of Recommends is Policy-compliant since there
> are myriad ways to specify the trusted CAs and the default ldap.conf setting
> is only for convenience.
It sounds reasonable. Thank you for the detailed explanation.
> thanks,
> Ryan
Sebastian
0 new messages