Tcl Library Source Code

Ticket Change Details

Artifact ID: 465e36c369ebfe9df5816f9da5bd8ccfaa15837d48e7240744ff513dba7f9740
Ticket: 60160205fe965d617482fd65dee13031fc16a1b7
Broken support for LDAPS
User & Date: aku 2018-05-17 20:08:01

  1. Change assignee to "aku"
  2. Change comment to:

    Support for LDAPS is broken with ldap.tcl (and ldapx.tcl too).

    This ticket details a problem and suggest improvements to the ldap/ldapx modules.

    1) TLS handshake does not report an appropriate message

    I am trying to connect to our LDAPS server:
    Connection error: Protocol error: Error reading SEQUENCE response for handle ::ldap::ldapsock55682b6a9da0 : error : 562(long list of bytes)
    This message is not useful. While tracking the problem in ldap::secure_connect, I see that tls::handshake is called with async I/O enabled (fconfigure ... -blocking no). If I move this line after the while{1} loop, I get the more meaningful message:
    Connection error: handshake failed: certificate verify failed
    Conclusion 1 : TLS handshake should run on a blocking connection.

    2) ldap::secure_connect does not have appropriate parameters

    ldap::secure_connect accepts only the following TLS related parameters "verify_cert" and "sni_servername". It does not accept the "cafile", "certfile", not "keyfile" parameters (as with ldap::starttls).
    In my problem described in 1), it means that I cannot specify some TLS-related parameters.
    Conclusion 2 : ldap::secure_connect should accept "cafile", "certfile", and "keyfile" parameters.

    3) TLS parameters are not in sync with tcltls

    tls::import accepts the cadir/cipher/keyfile/password
    Conclusion 3 : ldap::secure_connect and ldap::starttls should accept these parameters too

    4) The "ldap connect" method in ldapx.tcl should accept TLS-related parameters

    Since the "connect" method of ldap objects (in ldapx) calls secure_connect, it should accept the same parameters as ldap::secure_connect.
    Conclusion 4 : add these TLS-related parameters to ldapx

    This ticket details some proposals as a basis for discussion, before trying to implement these points.

  3. Change icomment to:

    Agreed on (1), run connection setup non-async. Agreed on (2). Agreed on (3). Agreed on (4). Depending on how the arguments are passed / options are handled this might be automatic, i.e. with secure_connect accepting new options the connect will do as well. -- I haven't looked into the code yet.

    Looking for patches.

  4. Change login to "aku"
  5. Change mimetype to "text/plain"
  6. Change priority to "8"