touch-packages team mailing list archive

Thread
Date

[Bug 1026057] Re: Segfault when setting bad olcTLSCipherSuite

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Ryan Tandy <1026057@xxxxxxxxxxxxxxxxxx>
Date: Thu, 02 Oct 2014 19:14:29 -0000
Reply-to: Bug 1026057 <1026057@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

*** This bug is a duplicate of bug 1103353 ***
    https://bugs.launchpad.net/bugs/1103353

** This bug has been marked a duplicate of bug 1103353
   Invalid GnuTLS cipher suite strings causes libldap to crash

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1026057

Title:
  Segfault when setting bad olcTLSCipherSuite

Status in “openldap” package in Ubuntu:
  Triaged

Bug description:
  Steps to reproduce:

  1. Configure olcTLSCertificateFile & olcTLSCertificateKeyFile:
  dn: cn=config
  changeType: modify
  add: olcTLSCertificateFile
  olcTLSCertificateFile: /some/valid/pemfile/path
  -
  add: olcTLSCertificateKeyFile
  olcTLSCertificateKeyFile: /some/valid/pemfile/path

  (At this point openldap started to support STARTTLS and began working
  as a sssd authentication backend.)

  2. Try configuring olcTLSCipherSuite to an openssl kind, for example:
  dn: cn=config
  changeType: modify
  add: olcTLSCipherSuite
  olcTLSCipherSuite: TLSv1+RSA:!NULL:!EXP

  Expected result in gnutls compiled openldap: some kind of refusal of
  configuration change (gnutls does not apparently support any kind of
  ciphersuite names like openssl).

  Actual result: segfault [01-slapd-stderr.log]

  Syslog message about crash: kernel: [ 4158.532053] slapd[2696]:
  segfault at 7fa824106008 ip 00007fa837ad10b5 sp 00007fa830df8110 error
  4 in libc-2.15.so[7fa837a52000+1b3000]

  From administrators perspective openldap would be easier to configure
  should it be compiled against openssl instead of gnutls as
  ciphersuites would be simpler to specify. I'm not aware if openssl
  build would crash here as well. Crash is however rather bad indicator
  of "unsupported configuration value".

  # apt-cache policy slapd
  slapd:
    Installed: 2.4.28-1.1ubuntu4
    Candidate: 2.4.28-1.1ubuntu4
    Version table:
   *** 2.4.28-1.1ubuntu4 0
          500 http://fi.archive.ubuntu.com/ubuntu/ precise/main amd64 Packages
          100 /var/lib/dpkg/status

  # lsb_release -rd
  Description:    Ubuntu 12.04 LTS
  Release:        12.04

  # slapd -VVV
  @(#) $OpenLDAP: slapd  (Apr  5 2012 16:22:20) $
          buildd@allspice:/build/buildd/openldap-2.4.28/debian/build/servers/slapd

  Included static backends:
      config
      ldif

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1026057/+subscriptions