Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ldaps enalbe but check certificate subject alternative name of server certificate failed in ip format #258

Open
kaoriakana opened this issue Aug 5, 2024 · 0 comments
Open

ldaps enalbe but check certificate subject alternative name of server certificate failed in ip format #258

kaoriakana opened this issue Aug 5, 2024 · 0 comments

Comments

@kaoriakana
Copy link

kaoriakana commented Aug 5, 2024
edited
Loading

Hi! I tried the ldaps test with my ldaps server(compiled from openldap source code) and nginx with nginx-auth-ldap module.
I tried the ldap configureation in nginx.conf. The test is good.
I tried the ldaps configuration with url in domain name. The test is also good.
But if I changed the ldaps configuration with url in ip formate. The test is always failed.

my nginx.conf about ldaps server url part
url ldaps://192.168.0.133:636/dc=ipcamera,dc=com?uid?sub?(objectClass=*);

The following is of san in my server certificat.
X509v3 Subject Alternative Name:
DNS:green-3kl.com, IP Address:192.168.0.133

I traced the code.
I found maybe something wrong in function ngx_http_auth_ldap_ssl_handshake_handler().
There is one line in the function.

addr_verified = X509_check_ip(cert, (const unsigned char*)conn_sockaddr->sa_data, len, 0);

The return value of addr_verified seems always 0.
It makes the following if statement ,
if ( !(cert && addr_verified && chain_verified == X509_V_OK) )
alwsys get error message.

I think
addr_verified = X509_check_ip(cert, (const unsigned char*)conn_sockaddr->sa_data, len, 0);
may cause something wrong.

x509_check_ip() will comapre cert's san name and the conn_sockaddr->sa_data,
to make sure the certificate is really for the ldaps server.

but type of conn_sockaddr is "struct socaddr"
The beginning of sockaddr->sa_data seems not ip address.
That's why always comparing result is different.

I think
addr_verified = X509_check_ip(cert, (const unsigned char*)conn_sockaddr->sa_data, len, 0);
should change to

struct sockaddr_in *addr_in = (struct sockaddr_in *)conn_sockaddr;
const unsigned char *ip_addr = (const unsigned char *)&addr_in->sin_addr;
addr_verified = X509_check_ip(cert, ip_addr, len, 0);

or
addr_verified = X509_check_ip(cert, (const unsigned char*)conn_sockaddr->sa_data+2, len, 0);
because the ip address with 2 bytes shift from sa_data[0]

I am the new comer. Is there any one can double confirm my question?
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@kaoriakana