Tcl Library Source Code

Ticket Change Details
Login
Overview

Artifact ID: 465e36c369ebfe9df5816f9da5bd8ccfaa15837d48e7240744ff513dba7f9740
Ticket: 60160205fe965d617482fd65dee13031fc16a1b7
Broken support for LDAPS
User & Date: aku 2018-05-17 20:08:01
Changes

  1. assignee changed to: "aku"
  2. comment changed to:
    Support for LDAPS is broken with ldap.tcl (and ldapx.tcl too).
    
    This ticket details a problem and suggest improvements to the ldap/ldapx modules.
    
    
    1) TLS handshake does not report an appropriate message
    
      I am trying to connect to our LDAPS server:
    
      <verbatim>Connection error: Protocol error: Error reading SEQUENCE response for handle ::ldap::ldapsock55682b6a9da0 : error : 562(long list of bytes)</verbatim>
    
      This message is not useful. While tracking the problem in ldap::secure_connect, I see that tls::handshake is called with async I/O enabled (fconfigure ... -blocking no). If I move this line after the while{1} loop, I get the more meaningful message:
    
      <verbatim>Connection error: handshake failed: certificate verify failed</verbatim>
    
      Conclusion 1 : TLS handshake should run on a blocking connection.
    
    
    2) ldap::secure_connect does not have appropriate parameters
    
      ldap::secure_connect accepts only the following TLS related parameters "verify_cert" and "sni_servername". It does not accept the "cafile", "certfile", not "keyfile" parameters (as with ldap::starttls).
    
      In my problem described in 1), it means that I cannot specify some TLS-related parameters.
    
      Conclusion 2 : ldap::secure_connect should accept "cafile", "certfile", and "keyfile" parameters.
    
    
    3) TLS parameters are not in sync with tcltls
    
      tls::import accepts the cadir/cipher/keyfile/password
    
      Conclusion 3 : ldap::secure_connect and ldap::starttls should accept these parameters too
    
    4) The "ldap connect" method in ldapx.tcl should accept TLS-related parameters
    
      Since the "connect" method of ldap objects (in ldapx) calls secure_connect, it should accept the same parameters as ldap::secure_connect.
    
      Conclusion 4 : add these TLS-related parameters to ldapx
    
    This ticket details some proposals as a basis for discussion, before trying to implement these points.
    
  3. icomment:
    Agreed on (1), run connection setup non-async.
    Agreed on (2).
    Agreed on (3).
    Agreed on (4). Depending on how the arguments are passed / options are handled this might be automatic, i.e. with secure_connect accepting new options the connect will do as well. -- I haven't looked into the code yet.
    
    Looking for patches.
    
  4. login: "aku"
  5. mimetype: "text/plain"
  6. priority changed to: "8"