[Bug 1103353] Re: Invalid GnuTLS cipher suite strings causeslibldapto crash
Ryan Tandy
1103353 at bugs.launchpad.net
Fri Apr 10 17:13:54 UTC 2015
On Fri, Apr 10, 2015 at 04:30:32PM -0000, Harry Coin wrote:
>Steps to reproduce:
>1) Install older version that used openssl.
>2) Set up a cipher suite of any sort.
>3) Validate ldaps operation.
>4) "upgrade" using current version built against gnutls.
>5) Notice slapd won't start, complaining of double free, upgrade fails.
The nit-picker in me feels compelled to point out that the
openssl→gnutls change invalidating existing TLSCipherSuite settings
actually was dealt with, sort of:
http://anonscm.debian.org/cgit/pkg-
openldap/openldap.git/commit/?id=327fcec47c59ccb7de65747327730eabc5656969
(This would have been applied when upgrading to hardy.)
However, in 2.4.14 the cipher suite parser used for gnutls was changed,
but this time there was no such upgrade handling:
http://www.openldap.org/its/?findid=6251
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=541256
AFAIK the latter change, not the former, would have introduced this when
upgrading to jaunty (or for LTS users, from hardy to lucid).
FWIW, upstream explicitly documents in ldap.conf(5) that TLSCipherSuite
settings are implementation dependent, and that openssl and gnutls
ciphersuite strings are not compatible. Even after fixing the
double-free, a manual "reconfigure ciphersuites for gnutls" step is
required in the upgrade steps listed above...
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1103353
Title:
Invalid GnuTLS cipher suite strings causes libldap to crash
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1103353/+subscriptions
More information about the Ubuntu-server-bugs
mailing list