php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #39669 php ldap functions not sending SSLv2 Client Hello
Submitted: 2006-11-28 23:45 UTC Modified: 2006-11-30 21:37 UTC
From: sujiannming at gmail dot com Assigned:
Status: Not a bug Package: LDAP related
PHP Version: 4.4.4 OS: Linux
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: sujiannming at gmail dot com
New email:
PHP Version: OS:

 

 [2006-11-28 23:45 UTC] sujiannming at gmail dot com 
Description:
------------
When connecting to ldaps:// via port 636, the first packet after the TCP handshake should be a SSLv2 "Client Hello."  At least tracing ldapsearch, this is the case.  However, with both php 4.3.x, 4.4.4, and php 5.1.x, the first packet after the TCP handshake seems to be a SSL Continuation Data.  The result of this is the inability for php to bind to the ldap server.

Reproduce code:
---------------
http://us2.php.net/manual/en/function.ldap-bind.php

Expected result:
----------------
When doing a tcpdump, I "should" see a SSLv2 Client Hello packet destined for the ldaps server.  Which is what I see when I run the following ldapsearch command:

ldapsearch -x  -H ldaps://ldap.example.bogus -b dc=example,dc=bogus -D "uid=nocuser,ou=services,dc=example,dc=bogus" -W uid=some_uid

Actual result:
--------------
I'm actually seeing a SSL Continuation Data packet instead.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-11-29 21:06 UTC] tony2001@php.net 
What exactly are you looking for, what do you see and how to reproduce it?
 [2006-11-30 05:51 UTC] sujiannming at gmail dot com 
I'm looking for php's ldap support to properly connect to an LDAP server using SSL on port 636.  

What I'm seeing when I trace traffic generated by the ldap_bind() sample code is a SSL Continuation Data packet.  This seems to be preventing the php code to properly connect and bind to the ldap server.  When I trace the traffic generated by ldapsearch, I see a SSLv2 Client Hello packet.  Using ldapsearch, I'm able to connect and bind to the ldap server via SSL on port 636.  I'm using tcpdump and wireshark to trace the traffic, BTW.

I can reproduce this problem one of two ways.  One, try the sample code found at http://us2.php.net/manual/en/function.ldap-bind.php with php 4.3.x, 4.4.4, or 5.1.x.  Two, try to connect to a ldap server using SSL on port 636 using Drupal's ldap_authentication module.  Connecting with TLS seems to work fine if the ldap server supports it.

Maybe my php was compiled against an older version of openldap?  I'm using php packages that come with Debian and RedHat/CentOS.  I apologize for not being more clear in my original bug report.
 [2006-11-30 09:30 UTC] tony2001@php.net 
>I can reproduce this problem one of two ways.
Do you know of any public LDAP servers?

>Maybe my php was compiled against an older version of openldap?
How do we know that?
 [2006-11-30 20:08 UTC] sujiannming at gmail dot com 
Nevermind.  Apparently, it is important to explicitly state the URI protocol ldaps:// if you want it to connect properly via SSL.  Specifying port 636 isn't enough. 

So, ldap_connect("your_ldap_server", "636") won't do it.  It has to be ldap_connect("ldaps://your_ldap_server", "636").
 [2006-11-30 21:37 UTC] tony2001@php.net 
Sure, ldaps is required.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Mon Oct 27 13:00:01 2025 UTC