Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

LDAPS does not work with private TLS CA; HTTPS works #11372

Closed
vlkl-sap opened this issue Jun 22, 2023 · 6 comments
Closed

LDAPS does not work with private TLS CA; HTTPS works #11372

vlkl-sap opened this issue Jun 22, 2023 · 6 comments

Comments

@vlkl-sap
Copy link

vlkl-sap commented Jun 22, 2023

Hello,

I suddenly have trouble with LDAPS requests to a server that uses a private TLS CA. The LDAPS requests used to work ~18 months ago,

HTTPS requests to servers that use the same TLS CA work.

Thanks!

I did this

Original LDAPS request (failing)

curl "ldaps://<ldap_server_using_private_ca>/<ldap_query>"
curl: (58) LDAP local: ERROR PEM CA cert not set

Demo HTTPS request (TLS succeeding, but server does not speak HTTPS)

curl https://<ldap_server_using_private_ca>:636
curl: (56) Recv failure: Connection reset by peer

Demo HTTPS request without trusted CA cert (TLS failing as expected)

curl --capath . https://<ldap_server_using_private_ca>:636
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

curl/libcurl version

curl 8.0.1 (x86_64-suse-linux-gnu) libcurl/8.0.1 OpenSSL/1.0.2p-fips zlib/1.2.11 libssh/0.8.7/openssl/zlib nghttp2/1.39.2
Release-Date: 2023-03-20
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS GSS-API HSTS HTTP2 HTTPS-proxy IPv6 Kerberos Largefile libz NTLM NTLM_WB SPNEGO SSL TLS-SRP UnixSockets

operating system

Linux <...> 4.12.14-122.159-default #1 SMP Fri May 5 08:15:43 UTC 2023 (46caa9e) x86_64 x86_64 x86_64 GNU/Linux
PRETTY_NAME="SUSE Linux Enterprise Server 12 SP5"
@bagder
Copy link
Member

bagder commented Jun 22, 2023

The LDAPS requests used to work ~18 months ago,

So how did all the involved components change in the mean time? libcurl version, TLS library version, OpenLDAP version and CA store?

@bagder
Copy link
Member

bagder commented Jun 22, 2023

The OpenLDAP related code in curl does not seem to make any effort to set the provided paths for this. 😢

I can't even figure out how to use the OpenLDAP API to point out a custom CA store. I can only find documentation mentioning setting a different path in /usr/local/etc/openldap/ldap.conf but I hope this is not the only way. 🤔

@hyc: any ideas/proposal of where to look?

@vlkl-sap
Copy link
Author

Thanks. Here is what I think has changed. Pulling this data out of the package manager log is finicky, so I cannot guarantee that I did not make a mistake. 🫤

package working failing
libcurl4 7.60.0-11.34.2 8.0.1-11.65.2
libldap-2_4-2 2.4.41-22.2.3 2.4.41-22.19.1
libopenssl1_0_0 1.0.2p-3.45.1 1.1.1d-2.84.1

@bagder
Copy link
Member

bagder commented Jun 22, 2023

I believe #11374 fixes it.

bagder added a commit that referenced this issue Jun 22, 2023
... as otherwise the configure script will say it is OpenLDAP in the
summary, but not set the USE_OPENLDAP define, therefor not using the
intended OpenLDAP code paths.

Regression since 4d73854 (7.85.0)
Fixes #11372
Closes #11374
Reported-by: vlkl-sap on github
@vlkl-sap
Copy link
Author

Ah, great to hear! I cannot realistically build curl from source, but I can test it once it hits curlimages/curl.
Thanks!

@hyc
Copy link
Contributor

hyc commented Jun 22, 2023

The OpenLDAP related code in curl does not seem to make any effort to set the provided paths for this. cry

I can't even figure out how to use the OpenLDAP API to point out a custom CA store. I can only find documentation mentioning setting a different path in /usr/local/etc/openldap/ldap.conf but I hope this is not the only way. thinking

@hyc: any ideas/proposal of where to look?

Sounds like you've already fixed this, but to answer your question, you want to read the ldap_set_option(3) manpage.

@bagder bagder closed this as completed in 0ac6108 Jun 23, 2023
bch pushed a commit to bch/curl that referenced this issue Jul 19, 2023
... as otherwise the configure script will say it is OpenLDAP in the
summary, but not set the USE_OPENLDAP define, therefor not using the
intended OpenLDAP code paths.

Regression since 4d73854 (7.85.0)
Fixes curl#11372
Closes curl#11374
Reported-by: vlkl-sap on github
ptitSeb pushed a commit to wasix-org/curl that referenced this issue Sep 25, 2023
... as otherwise the configure script will say it is OpenLDAP in the
summary, but not set the USE_OPENLDAP define, therefor not using the
intended OpenLDAP code paths.

Regression since 4d73854 (7.85.0)
Fixes curl#11372
Closes curl#11374
Reported-by: vlkl-sap on github
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

No branches or pull requests

3 participants