Learn more about these different git repos.
Other Git URLs
https://bugzilla.redhat.com/show_bug.cgi?id=849081 (Red Hat Enterprise Linux 6)
Description of problem: SSSD does not close TCP connections if SSL fails, for
example, if I use ldaps://10.65.211.123 as the ldap_uri, SSL failes with error
"hostname does not match CN in peer certificate" however SSSD does not attempt
to close the established connection, and for the next request SSSD opens a new
connection.. this is repeated until the ldap server run out of available
Version-Release number of selected component (if applicable): sssd-1.8.0-32.el6
How reproducible: Always.
Steps to Reproduce:
1. Setup an ldap server with SSL
2. Copy the CA certificate to Client
3. Configure SSSD with ldap_uri=ldaps://ip.address or a hostname(short) which
does not match the CN in the certificate.
SSSD fails to connect to ldap server due to CN mismatch, sssd does not close
the existing connection and open new on next request.
SSSD fails to connect to ldap server due to CN mismatch, it closes the existing
Additional info: This could cause DOS on ldap server, especially if the client
is configured with 'enumerate=true'. I have not notice the issue with start_tls
( ldap_uri ldap:// & use secure connection for id look-up set).
owner: somebody => pbrezina
patch: 0 => 1
status: new => assigned
tests: => 0
testsupdated: => 0
upgrade: => 0
This was fixed in d8fbc52
I'll leave the ticket open until our weekly meeting so that the associated bugzilla is triaged.
milestone: NEEDS_TRIAGE => SSSD 1.9.0 beta 7
resolution: => fixed
status: assigned => closed
Metadata Update from @jhrozek:
- Issue assigned to pbrezina
- Issue set to the milestone: SSSD 1.9.0 beta 7
SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here:
If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.
Thank you for understanding. We apologize for all inconvenience.
to comment on this ticket.