php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78029 ldap_set_option doesn't always set TLS options.
Submitted: 2019-05-17 16:43 UTC Modified: -
From: will dot skates at ntlworld dot com Assigned:
Status: Open Package: LDAP related
PHP Version: 7.2.18 OS: Linux
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2019-05-17 16:43 UTC] will dot skates at ntlworld dot com
Description:
------------
"ldap_set_option" doesn't behave predictably when you set TLS options. The tests for the extension (*1) _seem_ to suggest that it should just because they pass the resource as the first option.

The TLS context is established the first time an ldap connection is bound (2 & 3). I think that means that if I want to change my TLS settings I have to restart php-fpm and hope I'm the first one to ldap_bind on the box.

[1]: https://github.com/php/php-src/blob/master/ext/ldap/tests/ldap_set_option_cafiles_basic.phpt
[2]: https://github.com/openldap/openldap/blob/b06f5b0493937fc28f2cc86df1d7f464aa4504d8/libraries/libldap/open.c#L193
[3]: https://github.com/openldap/openldap/blob/b06f5b0493937fc28f2cc86df1d7f464aa4504d8/libraries/libldap/tls2.c#L368

I'm running the two scripts using "php -S" and navigating to test1.php and test2.php respectively.

I'm not sure what the ideal solution is. OpenLDAP does provide the LDAP_OPT_X_TLS_NEWCTX and LDAP_OPT_X_TLS_CTX options to help deal with this but they both seem to alter the global scope around the function. The problem is just that I can't rely on "ldap_set_option" to actually do what I tell it to. It might be better to create a new TLS context for every connection as it gets bound so that OpenLDAP doesn't override it with the global state.

This is true if I bind using ldaps:// or StartTLS.

For testing I have slapd (2.4.47) running in a container and have generated my own CA, Client and Server certificates.

My LDAP extension info:
ldap

LDAP Support => enabled
RCS Version => $Id: 3839f871a91c293a52322c63329c68db23a0290a $
Total Links => 0/unlimited
API Version => 3001
Vendor Name => OpenLDAP
Vendor Version => 20446
SASL Support => Enabled

Directive => Local Value => Master Value
ldap.max_links => Unlimited => Unlimited



Test script:
---------------
https://pastebin.com/n1HUjCwD

Expected result:
----------------
NULL
NULL


Actual result:
--------------
NULL
string(131) "error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate in certificate chain)"

Patches

Add a Patch

Pull Requests

Add a Pull Request

 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Sun Jun 16 13:01:28 2019 UTC