[openldap] fix: connection hangs after fallback to second server when certificate hostname verification fails

jvcelak jvcelak at fedoraproject.org
Fri Sep 14 14:17:43 UTC 2012 

commit 1f24c419ddaaa7e48c368750c552a6bcdd4a14f2
Author: Jan Vcelak <jvcelak at redhat.com>
Date:   Fri Sep 14 16:13:39 2012 +0200

    fix: connection hangs after fallback to second server when certificate hostname verification fails
    
    Resolves: #852476

 openldap-tls-no-reuse-of-tls_session.patch |   83 ++++++++++++++++++++++++++++
 openldap.spec                              |    3 +
 2 files changed, 86 insertions(+), 0 deletions(-)
---
diff --git a/openldap-tls-no-reuse-of-tls_session.patch b/openldap-tls-no-reuse-of-tls_session.patch
new file mode 100644
index 0000000..4d08ada
--- /dev/null
+++ b/openldap-tls-no-reuse-of-tls_session.patch
@@ -0,0 +1,83 @@
+TLS: do not reuse tls_session if hostname check fails
+
+If multiple servers are specified, the connection to the first one succeeds, and the hostname verification fails,
+*tls_session is not dropped, but reused when connecting to the second server.
+
+This is a problem with Mozilla NSS backend because another handshake cannot be performed on the same file descriptor.
+From this reason, hostname checking was moved into ldap_int_tls_connect() before connection error handling.
+
+Author: Jan Vcelak <jvcelak at redhat.com>
+Upstream ITS: #7373
+Resolves: #852476 
+
+diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
+index f0b5bef..b13cb6d 100644
+--- a/libraries/libldap/tls2.c
++++ b/libraries/libldap/tls2.c
+@@ -316,7 +316,7 @@ update_flags( Sockbuf *sb, tls_session * ssl, int rc )
+  */
+ 
+ static int
+-ldap_int_tls_connect( LDAP *ld, LDAPConn *conn )
++ldap_int_tls_connect( LDAP *ld, LDAPConn *conn, const char *host )
+ {
+ 	Sockbuf *sb = conn->lconn_sb;
+ 	int	err;
+@@ -361,6 +361,10 @@ ldap_int_tls_connect( LDAP *ld, LDAPConn *conn )
+ 	errno = WSAGetLastError();
+ #endif
+ 
++	if ( err == 0 ) {
++		err = ldap_pvt_tls_check_hostname( ld, ssl, host );
++	}
++
+ 	if ( err < 0 )
+ 	{
+ 		char buf[256], *msg;
+@@ -491,7 +495,15 @@ ldap_pvt_tls_check_hostname( LDAP *ld, void *s, const char *name_in )
+ {
+ 	tls_session *session = s;
+ 
+-	return tls_imp->ti_session_chkhost( ld, session, name_in );
++	if (ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_NEVER &&
++	    ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_ALLOW) {
++		ld->ld_errno = tls_imp->ti_session_chkhost( ld, session, name_in );
++		if (ld->ld_errno != LDAP_SUCCESS) {
++			return ld->ld_errno;
++		}
++	}
++
++	return LDAP_SUCCESS;
+ }
+ 
+ int
+@@ -831,25 +843,11 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv )
+ 	/*
+ 	 * Fortunately, the lib uses blocking io...
+ 	 */
+-	if ( ldap_int_tls_connect( ld, conn ) < 0 ) {
++	if ( ldap_int_tls_connect( ld, conn, host ) < 0 ) {
+ 		ld->ld_errno = LDAP_CONNECT_ERROR;
+ 		return (ld->ld_errno);
+ 	}
+ 
+-	ssl = ldap_pvt_tls_sb_ctx( sb );
+-	assert( ssl != NULL );
+-
+-	/* 
+-	 * compare host with name(s) in certificate
+-	 */
+-	if (ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_NEVER &&
+-	    ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_ALLOW) {
+-		ld->ld_errno = ldap_pvt_tls_check_hostname( ld, ssl, host );
+-		if (ld->ld_errno != LDAP_SUCCESS) {
+-			return ld->ld_errno;
+-		}
+-	}
+-
+ 	return LDAP_SUCCESS;
+ }
+ 
+-- 
+1.7.11.4
+
diff --git a/openldap.spec b/openldap.spec
index 51aebbb..6f03b5b 100644
--- a/openldap.spec
+++ b/openldap.spec
@@ -43,6 +43,7 @@ Patch11: openldap-ai-addrconfig.patch
 Patch12: openldap-nss-prefer-unlocked-key.patch
 Patch13: openldap-nss-allow-certname-with-token-name.patch
 Patch14: openldap-nss-update-list-of-ciphers.patch
+Patch15: openldap-tls-no-reuse-of-tls_session.patch
 
 # Fedora specific patches
 Patch100: openldap-autoconf-pkgconfig-nss.patch
@@ -159,6 +160,7 @@ ln -s %{_includedir}/nspr4 include/nspr
 %patch12 -p1
 %patch13 -p1
 %patch14 -p1
+%patch15 -p1
 
 %patch101 -p1
 
@@ -618,6 +620,7 @@ exit 0
 %changelog
 * Fri Sep 14 2012 Jan Vcelak <jvcelak at redhat.com> 2.4.32-3
 - fix: some TLS ciphers cannot be enabled (#852338)
+- fix: connection hangs after fallback to second server when certificate hostname verification fails (#852476)
 
 * Mon Aug 20 2012 Jan Vcelak <jvcelak at redhat.com> 2.4.32-2
 - enhancement: TLS, prefer private keys from authenticated slots

More information about the scm-commits mailing list