error accessing ldaps key server (TLS vs. STARTTLS)
Open, NormalPublic

Description

Hi,

I'm having trouble accessing a key server with the LDAPS protocol, e.g. LDAP over TLS on port 636.

When dirmngr connects to ldaps://ourinternalkeyserver/, it first send a STARTTLS command and the server software rejects it because it expects the client to first establish a TLS connection. It seems that dirmngr only handles TLS if the connection is initially unencrypted and switched to TLS dynamically with the STARTTLS mecanism.

I think that ldaps:// URLs should be handled differently than ldap:// + STARTTLS.

Can anyone reproduce this problem? It should be enough to configure an OpenLDAP key server with ldaps on port 636. Unfortunately I can only test on an old PGP Universal Server. I checked that a simple ldapsearch can retrieve data :

ldapsearch -H ldaps://pgpks.example.com:636 -b "o=Searchable PGP keys" -x -v -LLL "pgpUserID=*e*"

Also, both openssl s_client -host pgpks.example.com -port 636 and gnutls-cli --verbose pgpks.example.com:636 report that they can successfully establish a TLS connection to the server (so both openssl and gnutls accept the server certificate as trusted).

A tcpdump shows the rejected STARTTLS command (pasted from WireShark : 0\35\2\1\1w\30\200\0261.3.6.1.4.1.1466.20037).

Details

Version
3.5.8 (Debian stretch)
jpi created this task.Feb 23 2018, 10:36 AM
werner renamed this task from error accessing ldaps key server to error accessing ldaps key server (TLS vs. STARTTLS).Apr 17 2018, 8:38 PM
werner triaged this task as Normal priority.
jpi added a comment.Apr 18 2018, 9:43 AM

Thanks for looking into this issue :-)

I can reproduce it and test patches.