[exim-dev] exim, lookups/ldap.c, ldap_start_tls_s return val…

Top Page
Delete this message
Reply to this message
Author: Dmitry Banschikov
Date:  
To: exim-dev
Subject: [exim-dev] exim, lookups/ldap.c, ldap_start_tls_s return value
Hello.

While investigating strange issue with exim, STARTTLS and LDAP, I have
found, that lookups/ldap.c does not check returned value of
ldap_start_tls_s(3) function. That is why, the error exim reports at
debug is not at conformity with the actual situation.
More than that, this is possible to specify exactly the problem, caused
the error via ldap_get_option(3) for LDAP_OPT_DIAGNOSTIC_MESSAGE, e.g.:
----------------------------------------------------------------------------------
ldap_start_tls_s() failed: Connect error, error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self
signed certificate in certificate chain)
----------------------------------------------------------------------------------
I think that exim should check returned value by ldap_start_tls_s, as
further calling of ldap_bind() returns inappropriate error.
I have wrote small patch, which one change error reporting behaviour to
be more expectable.


Debug output without patch: (exim -v -d+all -bh 8.8.8.8 -C ./configure)

----------------------------------------------------------------------------------
20:19:52 81575 initialized for LDAP (v3) server 
rw2.devel.ldap.hostcomm.ru:389
20:19:52 81575 LDAP_OPT_X_TLS_TRY set
20:19:52 81575 binding with user=uid=dbanschikov,ou=users,o=hc 
password=password
;; res_querydomain(rw2.devel.ldap.hostcomm.ru, <Nil>)
;; res_query(rw2.devel.ldap.hostcomm.ru, 1, 1)
;; res_nmkquery(QUERY, rw2.devel.ldap.hostcomm.ru, IN, A)
;; res_send()
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55715
;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;;      rw2.devel.ldap.hostcomm.ru, type = A, class = IN
;; Querying server (# 1) address = 127.0.0.1
;; new DG socket
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55715
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;;      rw2.devel.ldap.hostcomm.ru, type = A, class = IN
rw2.devel.ldap.hostcomm.ru.  3m26s IN A  10.14.10.186
ldap.hostcomm.ru.       3m26s IN NS     dns.ovr.hc.ru.
;; res_query(rw2.devel.ldap.hostcomm.ru, 1, 28)
;; res_nmkquery(QUERY, rw2.devel.ldap.hostcomm.ru, IN, AAAA)
;; res_send()
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55716
;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;;      rw2.devel.ldap.hostcomm.ru, type = AAAA, class = IN
;; Querying server (# 1) address = 127.0.0.1
;; new DG socket
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55716
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;;      rw2.devel.ldap.hostcomm.ru, type = AAAA, class = IN
ldap.hostcomm.ru.       3m26s IN SOA    dns.ovr.hc.ru. support.hc.ru. (
                                          2011082302      ; serial
                                          3H              ; refresh
                                          1H              ; retry
                                          2D              ; expiry
                                          10M )           ; minimum


;; rcode = 0, ancount=0
20:19:52 81575 failed to bind the LDAP connection to server
rw2.devel.ldap.hostcomm.ru:389 - LDAP error: result retrieval failed
20:19:52 81575 lookup deferred: failed to bind the LDAP connection to
server rw2.devel.ldap.hostcomm.ru:389 - LDAP error: result retrieval failed
----------------------------------------------------------------------------------


Debug output with patch (exim -v -d+all -bh 8.8.8.8 -C ./configure)

----------------------------------------------------------------------------------
20:23:18 83019 initialized for LDAP (v3) server 
rw2.devel.ldap.hostcomm.ru:389
20:23:18 83019 LDAP_OPT_X_TLS_TRY set
20:23:18 83019 binding with user=uid=dbanschikov,ou=users,o=hc 
password=password
;; res_querydomain(rw2.devel.ldap.hostcomm.ru, <Nil>)
;; res_query(rw2.devel.ldap.hostcomm.ru, 1, 1)
;; res_nmkquery(QUERY, rw2.devel.ldap.hostcomm.ru, IN, A)
;; res_send()
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40247
;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;;      rw2.devel.ldap.hostcomm.ru, type = A, class = IN
;; Querying server (# 1) address = 127.0.0.1
;; new DG socket
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40247
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;;      rw2.devel.ldap.hostcomm.ru, type = A, class = IN
rw2.devel.ldap.hostcomm.ru.  5M IN A  10.14.10.186
ldap.hostcomm.ru.       5M IN NS        dns.ovr.hc.ru.
;; res_query(rw2.devel.ldap.hostcomm.ru, 1, 28)
;; res_nmkquery(QUERY, rw2.devel.ldap.hostcomm.ru, IN, AAAA)
;; res_send()
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40248
;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;;      rw2.devel.ldap.hostcomm.ru, type = AAAA, class = IN
;; Querying server (# 1) address = 127.0.0.1
;; new DG socket
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40248
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;;      rw2.devel.ldap.hostcomm.ru, type = AAAA, class = IN
ldap.hostcomm.ru.       5M IN SOA       dns.ovr.hc.ru. support.hc.ru. (
                                          2011082302      ; serial
                                          3H              ; refresh
                                          1H              ; retry
                                          2D              ; expiry
                                          10M )           ; minimum


;; rcode = 0, ancount=0
20:23:18 83019 failed to initiate TLS processing on an LDAP session to
server rw2.devel.ldap.hostcomm.ru:389 - ldap_start_tls_s() returned -11:
Connect error
20:23:18 83019 lookup deferred: failed to initiate TLS processing on an
LDAP session to server rw2.devel.ldap.hostcomm.ru:389 -
ldap_start_tls_s() returned -11: Connect error

----------------------------------------------------------------------------------




--

Dmitry Banschikov

--- src/lookups/ldap.c.orig    2012-05-02 19:50:51.000000000 +0000
+++ src/lookups/ldap.c    2012-05-02 20:04:39.000000000 +0000
@@ -523,7 +523,12 @@
   /* The Oracle LDAP libraries (LDAP_LIB_TYPE=SOLARIS) don't support this: */
   if (eldap_start_tls)
     {
-    ldap_start_tls_s(lcp->ld, NULL, NULL);
+        if ( (rc = ldap_start_tls_s(lcp->ld, NULL, NULL)) != LDAP_SUCCESS) {
+            *errmsg = string_sprintf("failed to initiate TLS processing on an "
+                "LDAP session to server %s%s - ldap_start_tls_s() returned %d:"
+                " %s", host, porttext, rc, ldap_err2string(rc));
+            goto RETURN_ERROR;
+        }
     }
 #endif
   if ((msgid = ldap_bind(lcp->ld, CS user, CS password, LDAP_AUTH_SIMPLE))