Fix ldap_set_tls_options #266
Conversation
| /* refuse to connect to SSLv2 as it's completely insecure */ | ||
| opt = LDAP_OPT_X_TLS_PROTOCOL_SSL3; | ||
| ldap_set_option(conn->conn, LDAP_OPT_X_TLS_PROTOCOL_MIN, &opt); | ||
| #endif |
There was a problem hiding this comment.
This should be done in ldap_set_tls_options().
| opt = 0; | ||
| ldap_set_option(conn->conn, LDAP_OPT_X_TLS_NEWCTX, &opt); | ||
| #endif | ||
|
|
There was a problem hiding this comment.
This should be done in ldap_set_tls_options().
| int opt = requires ? LDAP_OPT_X_TLS_HARD : LDAP_OPT_X_TLS_ALLOW; | ||
|
|
||
| /* required for Bookworm */ | ||
| if (ldap_set_opt(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &opt, |
There was a problem hiding this comment.
It's required for Bookworm and others to either set the global TLS options (by passing a NULL LDAP handle for ldap_set_option) and not to create a connection specific TLS context (by setting the LDAP_OPT_X_TLS_NEWCTX option) or to set the connection specific TLS options (by passing a non-NULL LDAP handle for ldap_set_option like on RHEL9) and to create a connection specific TLS context (by setting the LDAP_OPT_X_TLS_NEWCTX option).
It's better to set set the connection specific TLS options and to create a connection specific TLS context.
There was a problem hiding this comment.
This should be in the commit message.
src/lib-ldap/ldap-utils.c
Outdated
| else if (strcasecmp(ssl_set->ssl_min_protocol, "ANY") == 0 || | ||
| *ssl_set->ssl_min_protocol == '\0') | ||
| /* refuse to connect to SSLv2 as it's completely insecure */ | ||
| opt = LDAP_OPT_X_TLS_PROTOCOL_SSL3; |
There was a problem hiding this comment.
Should this minimum be increased to LDAP_OPT_X_TLS_PROTOCOL_TLS1_0?
There was a problem hiding this comment.
We should probably disallow empty ssl_min_protocol value entirely (also in lib-ssl-iostream code).
src/lib-ldap/ldap-utils.c
Outdated
| else if (strcasecmp(ssl_set->ssl_min_protocol, "ANY") == 0 || | ||
| *ssl_set->ssl_min_protocol == '\0') | ||
| /* refuse to connect to SSLv2 as it's completely insecure */ | ||
| opt = LDAP_OPT_X_TLS_PROTOCOL_SSL3; |
There was a problem hiding this comment.
We should probably disallow empty ssl_min_protocol value entirely (also in lib-ssl-iostream code).
src/lib-ldap/ldap-utils.c
Outdated
| opt = LDAP_OPT_X_TLS_PROTOCOL_TLS1_2; | ||
| else if (strcasecmp(ssl_set->ssl_min_protocol, "TLSv1.3") == 0 || | ||
| strcasecmp(ssl_set->ssl_min_protocol, "LATEST") == 0) | ||
| opt = LDAP_OPT_X_TLS_PROTOCOL_TLS1_3; |
There was a problem hiding this comment.
Should move this mapping into a table and loop through it, instead of many ifs.
| int opt = requires ? LDAP_OPT_X_TLS_HARD : LDAP_OPT_X_TLS_ALLOW; | ||
|
|
||
| /* required for Bookworm */ | ||
| if (ldap_set_opt(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &opt, |
There was a problem hiding this comment.
This should be in the commit message.
Additionally, do not set the global peer certificate checking strategy (the global LDAP_OPT_X_TLS_REQUIRE_CERT option). It is not needed and has no effect after a new TLS context is created.
eehakkin
force-pushed
the
fix/ldap-set-tls-options
branch
from
e3b3d0c to
f043a7a
Compare
3 participants
The OpenLDAP library has global options (which can be set by passing a
NULLLDAP handle toldap_set_setting()) and connection specific options (which can be set by passing a non-NULLLDAP handle toldap_set_setting()). For TLS connection, the library uses either a default TLS context (which is based on global TLS options) or a connection specific TLS context (which can be create used theLDAP_OPT_X_TLS_NEWCTXoption and which is based on connection specific TLS options).The Dovecot LDAP libraries set and use the options and TLS contexts inconsistently and therefore it is not possible to set Dovecot LDAP TLS options as documented. Additionally, the
ssl_min_protocolsetting in handled wrongly.Problems:
Inconsistent use of LDAP TLS contexts:
db_ldap_init_ld()in src/auth/db-ldap.c and by theldap_connection_setup()in src/lib-ldap/ldap-connection.c (usingldap_initialize()). Both of these call theldap_set_tls_options()to set connection specific TLS options (except forLDAP_OPT_X_TLS_REQUIRE_CERTalso the global one).ldap_connection_setup()in src/lib-ldap/ldap-connection.c also sets theLDAP_OPT_X_TLS_NEWCTXoption and thus creates a new connection specific TLS context based on the connection specific TLS options which were set by theldap_set_tls_options().db_ldap_init_ld()in src/auth/db-ldap.c does not set theLDAP_OPT_X_TLS_NEWCTXoption and thus uses the default TLS context based on the global TLS options which were not set by theldap_set_tls_options().To fix this disparity, the
ldap_set_tls_options()should set theLDAP_OPT_X_TLS_NEWCTXoption.Once the TLS context issue is fixed and only connection specific TLS options are used, it is not longer necessary to set the global
LDAP_OPT_X_TLS_REQUIRE_CERToption in theldap_set_tls_options().The
ldap_set_tls_options()uses thessl_min_protocolsetting string as-is as aLDAP_OPT_X_TLS_PROTOCOL_MINoption but the option is an int option. Typically the string is something like"TLSv1.3"or"\x54\x4C\x53\x76\x31\x2E\x33"which with typical 4 byte little endian ints means TLSv7754572.84 (0x76534C, 0x54) which LDAP servers do not provide.To fix this, the
ldap_set_tls_options()should convert thessl_min_protocolsetting toLDAP_OPT_X_TLS_PROTOCOL_TLSx_yconstants.The
ldap_connection_setup()in src/lib-ldap/ldap-connection.c calls theldap_set_tls_options()to set TLS options but overrides theLDAP_OPT_X_TLS_PROTOCOL_MINoption with theLDAP_OPT_X_TLS_PROTOCOL_SSL3value.Partial work-a-round for the current Dovecot 2.4.x is to configure at least LDAP TLS certificates also using import_environment as in