Overview
Artifact ID: | 465e36c369ebfe9df5816f9da5bd8ccfaa15837d48e7240744ff513dba7f9740 |
---|---|
Ticket: | 60160205fe965d617482fd65dee13031fc16a1b7
Broken support for LDAPS |
User & Date: | aku 2018-05-17 20:08:01 |
Changes
- assignee changed to: "aku"
- comment changed to:
Support for LDAPS is broken with ldap.tcl (and ldapx.tcl too). This ticket details a problem and suggest improvements to the ldap/ldapx modules. 1) TLS handshake does not report an appropriate message I am trying to connect to our LDAPS server: <verbatim>Connection error: Protocol error: Error reading SEQUENCE response for handle ::ldap::ldapsock55682b6a9da0 : error : 562(long list of bytes)</verbatim> This message is not useful. While tracking the problem in ldap::secure_connect, I see that tls::handshake is called with async I/O enabled (fconfigure ... -blocking no). If I move this line after the while{1} loop, I get the more meaningful message: <verbatim>Connection error: handshake failed: certificate verify failed</verbatim> Conclusion 1 : TLS handshake should run on a blocking connection. 2) ldap::secure_connect does not have appropriate parameters ldap::secure_connect accepts only the following TLS related parameters "verify_cert" and "sni_servername". It does not accept the "cafile", "certfile", not "keyfile" parameters (as with ldap::starttls). In my problem described in 1), it means that I cannot specify some TLS-related parameters. Conclusion 2 : ldap::secure_connect should accept "cafile", "certfile", and "keyfile" parameters. 3) TLS parameters are not in sync with tcltls tls::import accepts the cadir/cipher/keyfile/password Conclusion 3 : ldap::secure_connect and ldap::starttls should accept these parameters too 4) The "ldap connect" method in ldapx.tcl should accept TLS-related parameters Since the "connect" method of ldap objects (in ldapx) calls secure_connect, it should accept the same parameters as ldap::secure_connect. Conclusion 4 : add these TLS-related parameters to ldapx This ticket details some proposals as a basis for discussion, before trying to implement these points.
- icomment:
Agreed on (1), run connection setup non-async. Agreed on (2). Agreed on (3). Agreed on (4). Depending on how the arguments are passed / options are handled this might be automatic, i.e. with secure_connect accepting new options the connect will do as well. -- I haven't looked into the code yet. Looking for patches.
- login: "aku"
- mimetype: "text/plain"
- priority changed to: "8"