Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: exim: dev

[Bug 1273] `ldapauth` fails when TLS is enabled

 

 

exim dev RSS feed   Index | Next | Previous | View Threaded


alexz at visp

Jul 20, 2012, 2:53 AM

Post #1 of 5 (620 views)
Permalink
[Bug 1273] `ldapauth` fails when TLS is enabled

------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1273




--- Comment #1 from Alexander Zagrebin <alexz [at] visp> 2012-07-20 10:53:11 ---
Created an attachment (id=584)
--> (http://bugs.exim.org/attachment.cgi?id=584)
Patch


--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email

--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##


alexz at visp

Jul 20, 2012, 3:00 AM

Post #2 of 5 (596 views)
Permalink
[Bug 1273] `ldapauth` fails when TLS is enabled [In reply to]

------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1273

Alexander Zagrebin <alexz [at] visp> changed:

What |Removed |Added
----------------------------------------------------------------------------
OS/Version|Windows |FreeBSD




--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email

--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##


pdp at exim

Jul 21, 2012, 11:01 PM

Post #3 of 5 (592 views)
Permalink
[Bug 1273] `ldapauth` fails when TLS is enabled [In reply to]

------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1273

Phil Pennock <pdp [at] exim> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |pdp [at] exim




--- Comment #2 from Phil Pennock <pdp [at] exim> 2012-07-22 07:01:56 ---
Which LDAP server are you using?

The code change you use says to not use TLS if already *authenticated* to the
server; that may be a decent approximation, while the ldap_* options are not
expanded, but I'm reluctant to use it as-is because it means that if those
options become expanded, a configuration which allows anonymous binds without
TLS but is supposed to use TLS for an authenticated bind would avoid TLS and
this would then become a security bug.

Could you include a debug trace showing the lookups failing for you, with
sensitive data anonymised? I'm not in a situation to set up a decent test this
weekend to replicate myself.


--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email

--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##


alexz at visp

Jul 22, 2012, 11:30 PM

Post #4 of 5 (588 views)
Permalink
[Bug 1273] `ldapauth` fails when TLS is enabled [In reply to]

------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1273




--- Comment #3 from Alexander Zagrebin <alexz [at] visp> 2012-07-23 07:30:54 ---
(In reply to comment #2)
> Which LDAP server are you using?

openldap 2.4.31

> The code change you use says to not use TLS if already *authenticated* to the
> server; that may be a decent approximation, while the ldap_* options are not
> expanded, but I'm reluctant to use it as-is because it means that if those
> options become expanded, a configuration which allows anonymous binds without
> TLS but is supposed to use TLS for an authenticated bind would avoid TLS and
> this would then become a security bug.

Hm-m-m. lcp->bound will be set to TRUE after any successful bind, including the
anonymous (not authenticated) bind. So the patch prevents starting of TLS if we
are already successfully connected to the server (it's a case when exim uses
cached connection).
When looking in the cache, exim checks an IP address and corresponding port
only and not checks any options.
So, imho, it is impossible to have two connections (unprotected and protected
via TLS) to the same host/port in the same time.

> Could you include a debug trace showing the lookups failing for you, with
> sensitive data anonymised? I'm not in a situation to set up a decent test this
> weekend to replicate myself.

The log is attached.


--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email

--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##


alexz at visp

Jul 22, 2012, 11:31 PM

Post #5 of 5 (584 views)
Permalink
[Bug 1273] `ldapauth` fails when TLS is enabled [In reply to]

------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1273




--- Comment #4 from Alexander Zagrebin <alexz [at] visp> 2012-07-23 07:31:28 ---
Created an attachment (id=585)
--> (http://bugs.exim.org/attachment.cgi?id=585)
Lookup log


--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email

--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

exim dev RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.