From f49e4cfc1044e27d9f9e8a83ff5ca7086aea17aa Mon Sep 17 00:00:00 2001 From: William Brown Date: Nov 08 2017 02:52:45 +0000 Subject: Ticket 49377 - Incoming BER too large with TLS on plain port Bug Description: When doing TLS to a plain port, a message of "ber element 3 bytes too large for max ber" when max ber > 3. Fix Description: When ber_len < maxber, report that the request may be misformed instead of "oversize" instead. This can lead to a better diagnosis. https://pagure.io/389-ds-base/issue/49377 Author: wibrown Review by: mreynolds (thanks!) Cherry picked from commit b3629af054760d9421a41d63b8b8ed513bb6944d --- diff --git a/ldap/servers/slapd/connection.c b/ldap/servers/slapd/connection.c index 24a7a1c..0128986 100644 --- a/ldap/servers/slapd/connection.c +++ b/ldap/servers/slapd/connection.c @@ -2177,6 +2177,13 @@ log_ber_too_big_error(const Connection *conn, ber_len_t ber_len, ber_len_t maxbe " is %" BERLEN_T " bytes. Change the nsslapd-maxbersize attribute in" " cn=config to increase.\n", conn->c_connid, conn->c_sd, maxbersize); + } else if (ber_len < maxbersize) { + /* This means the request was misformed, not too large. */ + slapi_log_err(SLAPI_LOG_ERR, "log_ber_too_big_error", + "conn=%" PRIu64 " fd=%d Incoming BER Element may be misformed. " + "This may indicate an attempt to use TLS on a plaintext port, " + "IE ldaps://localhost:389. Check your client LDAP_URI settings.\n", + conn->c_connid, conn->c_sd); } else { slapi_log_err(SLAPI_LOG_ERR, "log_ber_too_big_error", "conn=%" PRIu64 " fd=%d Incoming BER Element was %" BERLEN_T " bytes, max allowable"