#1490 SSSD does not close TCP connections when SSL fails
Closed: Fixed None Opened 6 years ago by jhrozek.

https://bugzilla.redhat.com/show_bug.cgi?id=849081 (Red Hat Enterprise Linux 6)

Description of problem: SSSD does not close TCP connections if SSL fails, for
example, if I use ldaps://10.65.211.123 as the ldap_uri, SSL failes with error
"hostname does not match CN in peer certificate" however SSSD does not attempt
to close the established connection, and for the next request SSSD opens a new
connection.. this is repeated until the ldap server run out of available
ports/fds.

Version-Release number of selected component (if applicable): sssd-1.8.0-32.el6


How reproducible: Always.


Steps to Reproduce:
1. Setup an ldap server with SSL
2. Copy the CA certificate to Client
3. Configure SSSD with ldap_uri=ldaps://ip.address or a hostname(short) which
does not match the CN in the certificate.

Actual results:
SSSD fails to connect to ldap server due to CN mismatch, sssd does not close
the existing connection and open new on next request.

Expected results:
SSSD fails to connect to ldap server due to CN mismatch, it closes the existing
connection

Additional info: This could cause DOS on ldap server, especially if the client
is configured with 'enumerate=true'. I have not notice the issue with start_tls
( ldap_uri ldap:// & use secure connection for id look-up set).

Fields changed

blockedby: =>
blocking: =>
coverity: =>
feature_milestone: =>
owner: somebody => pbrezina
patch: 0 => 1
status: new => assigned
tests: => 0
testsupdated: => 0
upgrade: => 0

This was fixed in d8fbc52

I'll leave the ticket open until our weekly meeting so that the associated bugzilla is triaged.

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.9.0 beta 7

Fields changed

resolution: => fixed
status: assigned => closed

Metadata Update from @jhrozek:
- Issue assigned to pbrezina
- Issue set to the milestone: SSSD 1.9.0 beta 7

2 years ago

Login to comment on this ticket.

Metadata