Bug #14104
openGoogle LDAP connections still fail even after adding SNI for TLS 1.3
0%
Description
tested on 23.01 and with IPv6
After fixing https://redmine.pfsense.org/issues/11626 I see that the LDAP client is sending the SNI header during TLS negotiation ('Client_Hello.png') but Google LDAP connections still fail.
In PCAP I got 'Alert (Level: Fatal, Description: Unknown CA)' so looks like Google LDAP is still replying with a self-signed certificate that will not pass CA validation checks (https://support.google.com/a/answer/9190869)
Strange part is that I got no error if I run #ldapsearch -H ldaps://ldap.google.com -x -d1
ldap_url_parse_ext(ldaps://ldap.google.com)
ldap_create
ldap_url_parse_ext(ldaps://ldap.google.com:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap.google.com:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 2001:4860:4802:32::3a 636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLS trace: SSL_connect:before SSL initialization
TLS trace: SSL_connect:SSLv3/TLS write client hello
TLS trace: SSL_connect:SSLv3/TLS write client hello
TLS trace: SSL_connect:SSLv3/TLS read server hello
TLS trace: SSL_connect:TLSv1.3 read encrypted extensions
TLS trace: SSL_connect:SSLv3/TLS read server certificate request
TLS certificate verification: depth: 2, err: 0, subject: /C=US/O=Google Trust Services LLC/CN=GTS Root R1, issuer: /C=US/O=Google Trust Services LLC/CN=GTS Root R1
TLS certificate verification: depth: 1, err: 0, subject: /C=US/O=Google Trust Services LLC/CN=GTS CA 1C3, issuer: /C=US/O=Google Trust Services LLC/CN=GTS Root R1
TLS certificate verification: depth: 0, err: 0, subject: /CN=ldap.google.com, issuer: /C=US/O=Google Trust Services LLC/CN=GTS CA 1C3
TLS trace: SSL_connect:SSLv3/TLS read server certificate
TLS trace: SSL_connect:TLSv1.3 read server certificate verify
TLS trace: SSL_connect:SSLv3/TLS read finished
TLS trace: SSL_connect:SSLv3/TLS write change cipher spec
TLS trace: SSL_connect:SSLv3/TLS write client certificate
TLS trace: SSL_connect:SSLv3/TLS write finished
ldap_open_defconn: successful
Files
Updated by Marcos M almost 2 years ago
- Project changed from pfSense Plus to pfSense
- Category changed from Authentication to Authentication
- Affected Plus Version deleted (
23.01) - Affected Version set to 2.7.0
Updated by Jim Pingle almost 2 years ago
- Project changed from pfSense to pfSense Plus
- Category changed from Authentication to Authentication
- Affected Version deleted (
2.7.0) - Affected Plus Version set to 23.01
LDAP client certs are only available on Plus.
Updated by Kris Phillips over 1 year ago
If the client certificate is chained into a single entry with the CA data, may be related to this: https://redmine.pfsense.org/issues/14068
I ran into this issue with Google LDAP and breaking up the various components of the chained cert into individual entries resolved it.