#1490 SSSD does not close TCP connections when SSL fails
Closed: Fixed None Opened 10 years ago by jhrozek.

https://bugzilla.redhat.com/show_bug.cgi?id=849081 (Red Hat Enterprise Linux 6)

Description of problem: SSSD does not close TCP connections if SSL fails, for
example, if I use ldaps:// as the ldap_uri, SSL failes with error
"hostname does not match CN in peer certificate" however SSSD does not attempt
to close the established connection, and for the next request SSSD opens a new
connection.. this is repeated until the ldap server run out of available

Version-Release number of selected component (if applicable): sssd-1.8.0-32.el6

How reproducible: Always.

Steps to Reproduce:
1. Setup an ldap server with SSL
2. Copy the CA certificate to Client
3. Configure SSSD with ldap_uri=ldaps://ip.address or a hostname(short) which
does not match the CN in the certificate.

Actual results:
SSSD fails to connect to ldap server due to CN mismatch, sssd does not close
the existing connection and open new on next request.

Expected results:
SSSD fails to connect to ldap server due to CN mismatch, it closes the existing

Additional info: This could cause DOS on ldap server, especially if the client
is configured with 'enumerate=true'. I have not notice the issue with start_tls
( ldap_uri ldap:// & use secure connection for id look-up set).

Fields changed

blockedby: =>
blocking: =>
coverity: =>
feature_milestone: =>
owner: somebody => pbrezina
patch: 0 => 1
status: new => assigned
tests: => 0
testsupdated: => 0
upgrade: => 0

This was fixed in d8fbc52

I'll leave the ticket open until our weekly meeting so that the associated bugzilla is triaged.

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.9.0 beta 7

Fields changed

resolution: => fixed
status: assigned => closed

Metadata Update from @jhrozek:
- Issue assigned to pbrezina
- Issue set to the milestone: SSSD 1.9.0 beta 7

5 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/2532

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.