php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78029 ldap_set_option doesn't always set TLS options.
Submitted: 2019-05-17 16:43 UTC Modified: 2022-02-11 12:44 UTC
Votes:6
Avg. Score:4.5 ± 0.5
Reproduced:6 of 6 (100.0%)
Same Version:2 (33.3%)
Same OS:4 (66.7%)
From: will dot skates at ntlworld dot com Assigned:
Status: Open Package: LDAP related
PHP Version: 7.2.18 OS: Linux
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: will dot skates at ntlworld dot com
New email:
PHP Version: OS:

Further comment on this bug is unnecessary.

 

 [2019-05-17 16:43 UTC] will dot skates at ntlworld dot com
Description:
------------
"ldap_set_option" doesn't behave predictably when you set TLS options. The tests for the extension (*1) _seem_ to suggest that it should just because they pass the resource as the first option.

The TLS context is established the first time an ldap connection is bound (2 & 3). I think that means that if I want to change my TLS settings I have to restart php-fpm and hope I'm the first one to ldap_bind on the box.

[1]: https://github.com/php/php-src/blob/master/ext/ldap/tests/ldap_set_option_cafiles_basic.phpt
[2]: https://github.com/openldap/openldap/blob/b06f5b0493937fc28f2cc86df1d7f464aa4504d8/libraries/libldap/open.c#L193
[3]: https://github.com/openldap/openldap/blob/b06f5b0493937fc28f2cc86df1d7f464aa4504d8/libraries/libldap/tls2.c#L368

I'm running the two scripts using "php -S" and navigating to test1.php and test2.php respectively.

I'm not sure what the ideal solution is. OpenLDAP does provide the LDAP_OPT_X_TLS_NEWCTX and LDAP_OPT_X_TLS_CTX options to help deal with this but they both seem to alter the global scope around the function. The problem is just that I can't rely on "ldap_set_option" to actually do what I tell it to. It might be better to create a new TLS context for every connection as it gets bound so that OpenLDAP doesn't override it with the global state.

This is true if I bind using ldaps:// or StartTLS.

For testing I have slapd (2.4.47) running in a container and have generated my own CA, Client and Server certificates.

My LDAP extension info:
ldap

LDAP Support => enabled
RCS Version => $Id: 3839f871a91c293a52322c63329c68db23a0290a $
Total Links => 0/unlimited
API Version => 3001
Vendor Name => OpenLDAP
Vendor Version => 20446
SASL Support => Enabled

Directive => Local Value => Master Value
ldap.max_links => Unlimited => Unlimited



Test script:
---------------
https://pastebin.com/n1HUjCwD

Expected result:
----------------
NULL
NULL


Actual result:
--------------
NULL
string(131) "error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate in certificate chain)"

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2022-02-11 12:44 UTC] requinix@php.net
-Block user comment: No +Block user comment: Yes
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Nov 05 20:01:30 2024 UTC