Saturday, November 02, 2019

Re: LDAP tls: handshake failure

Hi Pedrag,

On Sat, 02 Nov 2019 05:45:08 +0100,
Predrag Punosevac wrote:
>
> Martijn van Duren wrote:
>
> > On 10/24/19 2:25 PM, Claudio Jeker wrote:
> > >
> > > OK claudio@
> > >
> > I'll commit this soon-ish based on claudio's OK, but if at all
> > possible I would like to ask the people affected by this to test this
> > and see if this solves their problem.
>
> I did this on the pair of LDAP servers atlas and titan to make sure I
> can reproduce results.
>
> atlas# uname -a
> OpenBSD atlas.int.autonlab.org 6.6 GENERIC.MP#0 amd64
> atlas# syspatch -l
> 001_bpf
> 002_ber
> 003_bgpd
> atlas# rcctl restart ldapd
> ldapd(ok)
> ldapd(ok)
> atlas# ldapvi -ZZ
> ldap_start_tls_s: Protocol error (2)
>
>
> # Getting source code
>
> atlas# cvs -qd anoncvs@anoncvs.ca.openbsd.org:/cvs checkout -rOPENBSD_6_6 -P src
> atlas# cvs -q up -Pd -rOPENBSD_6_6
>
> atlas# make clean
> atlas# make obj
> atlas# make
> atlas# make install
>
> #atlas rcctl restart ldapd
> ldapd(ok)
> ldapd(ok)
> atlas# ldapvi -ZZ
> ldap_start_tls_s: Protocol error (2)
>
> Upon close inspection I see that cvs is pulling the revision 1.31.2.1
>
> https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/ldapd/ldape.c?r1=1.33
> which is the same as the binary patch I already installed.
>
>
> Manually fetching revision 1.33 which I am guessing is going to current.
> and rebuilding the daemon
>
> ldapvi -ZZ
>
> is now sucessful.
>
> So for me personally version 1.33 of ldape.c works. This is the
> difference between 1.31.2.1 which can be obtained as a binary patch and
> the version 1.33
>
> atlas# diff ldape.c.v.1.31.2.1 ldape.c.v.1.33
> 1c1
> < /* $OpenBSD: ldape.c,v 1.31.2.1 2019/10/27 20:05:13 tb Exp $ */
> ---
> > /* $OpenBSD: ldape.c,v 1.33 2019/10/26 17:52:55 martijn Exp $ */
> 301d300
> < struct ber_element *ext_val = NULL;
> 310c309
> < if (ober_scanf_elements(req->op, "{se", &oid, &ext_val) != 0)
> ---
> > if (ober_scanf_elements(req->op, "{s", &oid) != 0)
> 314c313
> < req->op = ext_val;
> ---
> > req->op = req->op->be_sub->be_next;

the patch is only in -current / snapshots, but not in -stable

Best regards
Robert

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)