Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

LDAP connector does not verify TLS certificates #5906

Closed
imrejonk opened this issue Apr 24, 2019 · 3 comments · Fixed by #8569
Closed

LDAP connector does not verify TLS certificates #5906

imrejonk opened this issue Apr 24, 2019 · 3 comments · Fixed by #8569
Assignees
Labels
blocker If not finished by release date, the release will be postponed. bug ldap security triaged
Milestone

Comments

@imrejonk
Copy link

Expected Behavior

Graylog should verify the LDAP server certificate chain up to a trusted root, and refuse the connection when the certificate chain cannot be verified.

Current Behavior

Graylog accepts LDAP server certificates whose root certificate is not in any trust store. This presents a vulnerability for man-in-the-middle attacks.

Possible Solution

Steps to Reproduce (for bugs)

  1. Navigate to the LDAP / Active Directory configuration page.
  2. Enable LDAP, choose server type 'LDAP' and enter the address of a STARTTLS-enabled LDAP server, whose TLS certificate should not be verifiable by the server. Uncheck 'SSL' and 'Allow self-signed certificates'. Check 'StartTLS'.
  3. Provide a bind DN and password in the 'System Username' and 'System Password' fields.
  4. Click the 'Test Server Connection' button.

Context

We run Graylog in a Docker container, using the official Docker image. Our LDAP server is on a different network. We would be better protected against man-in-the-middle attacks if Graylog verifies the LDAP server certificate.

Your Environment

  • Graylog Version: 3.0.1
  • Elasticsearch Version: 6.6.2
  • MongoDB Version: 3.6.12
  • Operating System: Debian 9 inside Graylog Docker container
  • Browser version: Firefox 60.6.1esr
@SammyA
Copy link

SammyA commented Jul 10, 2020

Noticed same issue here:
Graylog Version: 3.3.2
Docker image: graylog/graylog:3.3

@imrejonk
Copy link
Author

imrejonk commented Aug 3, 2020

I just upgraded our Graylog installation to 3.3.3 and tried to reproduce this issue. Looks like Graylog now properly validates the LDAP TLS chain. Good to see that this was included in a patch release although it is a breaking change, security is important :)

@dennisoelkers Thanks for fixing this!

@dennisoelkers
Copy link
Member

@imrejonk: Thanks for finding this issue in the first place and testing the fix! Much appreciated! :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
blocker If not finished by release date, the release will be postponed. bug ldap security triaged
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants