Defect #8068

LDAP Authentificaton doesn't verify certificate validity

Added by Siegfried Vogel over 6 years ago. Updated 4 months ago.

Status:NewStart date:2011-04-05
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:LDAP
Target version:-
Resolution: Affected version:1.1.2

Description

Security-Bug:
LDAP Authentificaton doesn't verify certificate validity of the LDAP-server-certificate. Connection to the LDAP-Server with LDAPS is established, even if the server name in the certifitcate doesn't match or the certificate authority is not trustful.

Solution: If something is wrong with the certificate, or the certificate authority is not trustful, the connection to the LDAP-Server should be closed and any LDAP-Login should be disabled.


Related issues

Duplicated by Redmine - Defect #8091: LDAP Authentificaton doesn't verify certificate validity Closed 2011-04-05

History

#1 Updated by Etienne Massip over 6 years ago

  • Category set to LDAP

#2 Updated by Ruben Kruiswijk over 6 years ago

A possible 'fix' should be made optional. Not every company uses certificates issued by official certificate authorities. Their are enough self-signed certificates that still have to work.

#3 Updated by Tony Edmonds over 6 years ago

Whether the certificate is self-signed, signed by an in-house CA, or signed by an "official" CA, doesn't matter. Redmine should attempt to check the validity of the cert against information on the local machine. Nothing about a self-signed cert precludes this.

#4 Updated by Tony Edmonds over 6 years ago

I can't work out how to fix this myself, but one possible workaround is to use socat to proxy the LDAP port (389) on localhost to the real LDAPS service, validating the certificate along the way.

socat TCP4-LISTEN:389,bind=localhost,reuseaddr,fork,su=nobody OPENSSL:ldapserver.example.com:636,cafile=/etc/ssl/certs/ldapcert.pem &

Then point Redmine to localhost for LDAP (non TLS).

#5 Updated by ciaran jessup 4 months ago

The 'fix' (which should really be on by default or you could be sending your passwords anywhere :/) can be made by changing

source:trunk/app/models/auth_source_ldap.rb@16773#L147

to something along the lines of

                :encryption => {
                   method: :simple_tls,
                   tls_options: OpenSSL::SSL::SSLContext::DEFAULT_PARAMS
                 }

(note I've removed the optional check of self.tls, this is purely for reference purposes!!!)

If the change above is made then the certificate will be verified correctly, if the certificate is self signed or not available in the operating system's certificate stores for some other reason then the instructions here explain how to install the relevant certificate.

Also available in: Atom PDF