Project

General

Profile

Bug #1052

Certificate validation of the LDAPS servers is not enforced

Added by Florent Daigniere about 9 years ago. Updated about 2 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Certificates
Target version:
-
Start date:
11/29/2010
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.0
Affected Architecture:

Description

Hi,

Looking around in the source code, it seems that the certificate validation for LDAPS servers is not enforced.

LDAPTLS_REQCERT=never

is set in many places in the source code. The only secure configuration is :

LDAPTLS_REQCERT=hard

were the ssl connection is broken if the certificate verification fails, ensuring that the credentials are not leaked to a third party in case of active MitM attack.

Please fix it.

pfsense-fix-bug1052.diff (1.37 KB) pfsense-fix-bug1052.diff Florent Daigniere, 11/13/2011 08:32 AM
pfsense-fix-bug1052_v2.diff (1.26 KB) pfsense-fix-bug1052_v2.diff Florent Daigniere, 11/13/2011 09:15 AM

Associated revisions

Revision fe2031ab (diff)
Added by Ermal Luçi over 8 years ago

Ticket #1052. Enforce certificates if they are present for authenticating to ldap. Allow to select a CA under ldap type authentication backend to be used for this.

Revision b473da5f (diff)
Added by Ermal Luçi over 8 years ago

Ticket #1052. Enforce certificates if they are present for authenticating to ldap. Allow to select a CA under ldap type authentication backend to be used for this.

Revision 5e17f20d (diff)
Added by Ermal Luçi over 8 years ago

Correct array key typo mistake. Ticket #1052

Revision a7702ed5 (diff)
Added by Ermal Luçi over 8 years ago

Correct array key typo mistake. Ticket #1052

Revision 6daf497b (diff)
Added by Ermal Luçi about 8 years ago

Ticket #1052. Merge patch referenced in ticket.

Revision 906daddc (diff)
Added by Ermal Luçi about 8 years ago

Ticket #1052. Merge patch referenced in ticket.

History

#1 Updated by Florent Daigniere about 9 years ago

One of the places where it should be fixed is openvpn's configuration with LDAPS (see bug #1037)

#2 Updated by Chris Buechler about 9 years ago

  • Priority changed from Urgent to Normal
  • Target version set to 2.0

#3 Updated by Scott Ullrich about 9 years ago

  • Target version changed from 2.0 to 2.1

#4 Updated by Chris Buechler about 9 years ago

  • Target version changed from 2.1 to 2.0

#5 Updated by Ermal Luçi about 9 years ago

You suggested TLS_REQCERT=never while it seems that default setting is 'try' which is the recommended one!?
TLS is hard to get right so i would say either leave it as is for now and later on do properly on 2.1 through the gui.

#6 Updated by Florent Daigniere about 9 years ago

Let me clarify:

The situation was that ALL openvpn authentication requests were failing when it wasn't specified (bug #1037). Setting it to 'never' fixed that problem (in the sense that now the authentications succeed) but is insecure. Since http://redmine.pfsense.org/issues/1037#note-3 I have suggested 'hard', which is secure but won't work if the openvpn CA is different from the LDAPS CA.

To be pendantic, the current scheme sucks. The CA for the LDAPS server might be different from the one used by Openvpn... To fix both bugs properly, you'd have to ask for wich CA to use on the LDAPS configuration panel and to enforce its verification everywhere (openvpn is not the only service which can interface with LDAPS).

This is a security bug. It's not specific to openvpn or the openvpn plugins; it's specific to "using LDAPS". If any service is using it and the pfsense server is being man-in-the-middled, credentials will be leaked. See /etc/inc/auth.inc

#7 Updated by Chris Buechler about 9 years ago

the selection of CA for LDAPS should be in the auth server settings, then everything else should point appropriately to that.

#8 Updated by Ermal Luçi over 8 years ago

  • Status changed from New to Feedback

Just committed a fix for this.
You have to select the CA where you configure LDAP settings for it to be used.
This solves even the issue of OpenVPN where the CA might be different.

#9 Updated by Florent Daigniere over 8 years ago

I've upgraded to today's nightly: It doesn't work for openvpn nor diag_authentication.php

for openvpn: ldap_setup_caenv is always setting 'LDAPTLS_REQCERT=never'

#10 Updated by Ermal Luçi over 8 years ago

That is because you have to select the CA to use under system->User manager->Servers.

That will force to use a policy of hard with the save CA.

#11 Updated by Florent Daigniere over 8 years ago

Ermal Luçi wrote:

That is because you have to select the CA to use under system->User manager->Servers.

That will force to use a policy of hard with the save CA.

I've tried that as well as creating a new LDAP server; it still doesn't work.

I suspect the problem is in auth.inc:ldap_setup_caenv($authcfg)

the condition is

if (empty($authcfg['ldap_cacert']) || !strstr($authcfg['ldap_urltype'], "SSL")) {

$authcfg['ldap_cacert'] is never set as far as I can tell; is that a typo? was it supposed to be $authcfg['ldap_caref'] ? There's a couple of other occurrence of it the same in the function.

Btw, when I force it to check the certificate, the call to ldap_bind() fails; I suspect there's another problem somewhere. I will try to investigate further and will keep you posted.

#12 Updated by Ermal Luçi over 8 years ago

HAve you tested with latest snapshots?

#13 Updated by Florent Daigniere over 8 years ago

Ermal Luçi wrote:

HAve you tested with latest snapshots?

Hi Ermal,

No, I haven't; just came back from holidays. I will try to in the next few days...

Florent

#14 Updated by Chris Buechler over 8 years ago

  • Target version changed from 2.0 to 2.0.1

#15 Updated by Chris Buechler about 8 years ago

  • Target version deleted (2.0.1)

#16 Updated by Florent Daigniere about 8 years ago

What is in master is still not working; There's two problems:

1) the environment variables need to be set before you call ldap_set_option() or they will be ignored
2) TLS_CACERT= and TLS_CACERTDIR= need to be prefixed by LDAP

The patch attached fixes these two problems (works for me)

Florent

#17 Updated by Florent Daigniere about 8 years ago

In fact TLS_CACERTDIR shouldn't be set at all in this case. Here is v2 of the same patch.

I know it's late ... but I hope it will make the cut for 2.0.1; What is in master so far doesn't work at all (the LDAPS binding will fail with a non-explicit error message)

#18 Updated by Ermal Luçi about 8 years ago

Committed.

#19 Updated by Florent Daigniere about 8 years ago

Hi Ermal,

You have commited v1 of the patch, can you please use v2 instead?

Thanks
Florent

#20 Updated by Ermal Luçi about 8 years ago

For me it is ok as is I do not see any loosing on having what i committed.

#21 Updated by Florent Daigniere about 8 years ago

In the following scenario:

LDAP server 1 has a certificate signed by CA1 and is used on openvpn1
LDAP server 2 has a certificate signed by CA2 and is used on openvpn2

If an attacker can convince CA1 to sign a certificate for server2's FQDN, it will be valid and usable to connect to openvpn2 whereas it shouldn't be. Same thing the other way around.

#22 Updated by Jim Pingle about 2 years ago

  • Status changed from Feedback to Resolved

This is working fine on current versions and has been for some time now. Closing.

Also available in: Atom PDF