Skip Menu |

This queue is for tickets about the perl-ldap CPAN distribution.

Report information
The Basics
Id: 2501
Status: resolved
Priority: 0/
Queue: perl-ldap
People
Owner: Nobody in particular
Requestors: gbarr [...] pobox.com
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Tue May 06 05:15:59 2003 perl-ldap [...] perl.org - Ticket created
Date: Tue, 6 May 2003 10:15:51 +0100
From: Graham Barr <gbarr [...] pobox.com>
To: bug-perl-ldap [...] rt.cpan.org
Subject: start_tls woes
----- Forwarded message from Chris Ridd <chrisridd@mac.com> ----- Date: Mon, 05 May 2003 16:55:35 +0100 To: "Holzman, Dan" <Dan.Holzman@am.sony.com>, "'perl-ldap@perl.org'" <perl-ldap@perl.org> From: Chris Ridd <chrisridd@mac.com> Subject: Re: start_tls woes On 5/5/03 4:24 pm, Holzman, Dan <Dan.Holzman@am.sony.com> wrote: Show quoted text
> I saw there was some discussion of this previously, but I couldn't find a > resolution in the archive, unless it's a matter of Perl version. > > My versions are: > > Solaris 5.8 > Perl 5.005_03 > Net::LDAP: .2701 > IO::Socket::SSL: .92 > > My start_tls results are: > > Net::LDAP=HASH(0x22494) sending: > 0000 29: SEQUENCE { > 0002 1: INTEGER = 1 > 0005 24: [APPLICATION 23] { > 0007 22: [CONTEXT 0] > 0009 : 31 2E 33 2E 36 2E 31 2E 34 2E 31 2E 31 34 36 36 > 1.3.6.1.4.1.1466 > 0019 : 2E 32 30 30 33 37 __ __ __ __ __ __ __ __ __ __ .20037 > 001F : } > 001F : }
That looks like a correct ExtendedRequest PDU with the start_tls OID. Show quoted text
> Net::LDAP=HASH(0x22494) received: > 0000 22: SEQUENCE { > 0006 1: INTEGER = 1 > 0009 13: [APPLICATION 24] { > 000F 7: SEQUENCE { > 0015 1: ENUM = 2 > 0018 0: STRING = '' > 001A 0: STRING = '' > 001C : } > 001C : } > 001C : } > TLS Response: decode error 30<=>0a at > /usr/perl5/site_perl/5.005//Convert/ASN1/_decode.pm line 108, <STDIN> chunk > 2.
That is the server sending an ExtendedResponse PDU containing a protocol error. Servers are meant to do that if TLS is not supported or the PDU structure's incorrect (RFC 2830 section 2.3) The code in start_tls() doesn't check for errors, and it probably should. Show quoted text
> The connection remains unencrypted, but the LDAP authentication itself > proceeds normally.
Does your server support start_tls? Have you checked the supportedExtension attribute in the root DSE contains a value of "1.3.6.1.4.1.1466.20037"? If it doesn't, then you can't use start_tls with that server :-( Show quoted text
> Any help would be appreciated. > > Regards, > > Daniel B. Holzman, CISSP > Network Security Specialist > Network Technology Group > Information Systems & Solutions of America > Sony Electronics, Inc. > > 123 Tice Blvd MD T3-4 > Woodcliff Lake, NJ 07675 > > > Standard disclaimers apply. > >
Cheers, Chris Show quoted text
----- End forwarded message -----
  Tue May 06 05:38:09 2003 GBARR [...] CPAN.ORG - Requestor gbarr@pobox.com added
  Tue May 06 05:38:09 2003 GBARR [...] CPAN.ORG - Requestor perl-ldap@perl.org deleted
  Tue May 06 13:06:54 2003 GBARR [...] CPAN.ORG - Status changed from 'new' to 'resolved'