Project

General

Profile

Actions

Bug #14104

open

Google LDAP connections still fail even after adding SNI for TLS 1.3

Added by Azamat Khakimyanov about 1 year ago. Updated about 1 year ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Authentication
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Release Notes:
Default
Affected Plus Version:
23.01
Affected Architecture:

Description

tested on 23.01 and with IPv6

After fixing https://redmine.pfsense.org/issues/11626 I see that the LDAP client is sending the SNI header during TLS negotiation ('Client_Hello.png') but Google LDAP connections still fail.

In PCAP I got 'Alert (Level: Fatal, Description: Unknown CA)' so looks like Google LDAP is still replying with a self-signed certificate that will not pass CA validation checks (https://support.google.com/a/answer/9190869)

Strange part is that I got no error if I run #ldapsearch -H ldaps://ldap.google.com -x -d1

ldap_url_parse_ext(ldaps://ldap.google.com)
ldap_create
ldap_url_parse_ext(ldaps://ldap.google.com:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap.google.com:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 2001:4860:4802:32::3a 636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLS trace: SSL_connect:before SSL initialization
TLS trace: SSL_connect:SSLv3/TLS write client hello
TLS trace: SSL_connect:SSLv3/TLS write client hello
TLS trace: SSL_connect:SSLv3/TLS read server hello
TLS trace: SSL_connect:TLSv1.3 read encrypted extensions
TLS trace: SSL_connect:SSLv3/TLS read server certificate request
TLS certificate verification: depth: 2, err: 0, subject: /C=US/O=Google Trust Services LLC/CN=GTS Root R1, issuer: /C=US/O=Google Trust Services LLC/CN=GTS Root R1
TLS certificate verification: depth: 1, err: 0, subject: /C=US/O=Google Trust Services LLC/CN=GTS CA 1C3, issuer: /C=US/O=Google Trust Services LLC/CN=GTS Root R1
TLS certificate verification: depth: 0, err: 0, subject: /CN=ldap.google.com, issuer: /C=US/O=Google Trust Services LLC/CN=GTS CA 1C3
TLS trace: SSL_connect:SSLv3/TLS read server certificate
TLS trace: SSL_connect:TLSv1.3 read server certificate verify
TLS trace: SSL_connect:SSLv3/TLS read finished
TLS trace: SSL_connect:SSLv3/TLS write change cipher spec
TLS trace: SSL_connect:SSLv3/TLS write client certificate
TLS trace: SSL_connect:SSLv3/TLS write finished
ldap_open_defconn: successful


Files

Client_Hello.png (195 KB) Client_Hello.png Azamat Khakimyanov, 03/14/2023 03:01 AM
Actions

Also available in: Atom PDF