Enabling TLS via users.ldap disables peer checking

[grahamc]

If someone enables TLS in users.ldap, our module turns off TLS peer checking. This must not be the default behavior, and should be changed ASAP. Not sure if we can apply this to stable or not.

https://github.com/NixOS/nixpkgs/blob/release-17.03/nixos/modules/config/ldap.nix#L20-L23

or pinned for time:

nixpkgs/nixos/modules/config/ldap.nix

Lines 20 to 23 in 07c44b8

	${optionalString config.users.ldap.useTLS ''
	ssl start_tls
	tls_checkpeer no
	''}

[grahamc]

cc @fpletz @domenkozar

[fpletz]

This has to be fixed for stable. We might break setups, but that's acceptable in this case IMHO. We have to send an advisory to nix-devel and nix-security to inform our users though.

@grahamc Do you intend to fix this? I can handle this or support you.

[grahamc]

I'm working on a patch.

[grahamc]

master: 2b2a6f2

[grahamc]

17.03: b3fa629

[grahamc]

Addressed, announced, and mail sent to oss-security. Working on a CVE.

[fpletz]

CVE-2017-11501 has been assigned to this vulnerability.

[nbp]

Would it be possible to write a test case for this issue, such that it does not appear again in the future?

[grahamc]

I'm sure it could be done, @nbp :) I don't know LDAP though. Can you do it?

[nbp]

I don't know much about LDAP, but I think the in the worse case we could assert that the line is not present in the final content of the configuration file. Still, I don't think we have any failing test case in NixOS at the moment.