Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TCP Connection not closed if non SSL ldaptor LDAPServer accessed via SSL #170

Open
OzzieIsaacs opened this issue Apr 12, 2020 · 1 comment

Comments

@OzzieIsaacs
Copy link

I'm using ldaptor for testing the ldap login routines of my code. The ldaptor LDAPServer acts as server in this usecase. One of the testcases is accessing a non SSL server (ldaptor) via SSL configured client (my code).

The server reacts with a log output:

ldaptor.protocols.pureber.UnknownBERTag: BERDecoderContext has no tag 0x16: <LDAPBERDecoderContext_TopLevel identities={0x10: LDAPMessage} fallback=None inherit=<LDAPBERDecoderContext_LDAPMessage identities={0x80: LDAPControls, 0x53: LDAPSearchResultReference} fallback=<LDAPBERDecoderContext identities={0x41: LDAPBindResponse, 0x40: LDAPBindRequest, 0x42: LDAPUnbindRequest, 0x43: LDAPSearchRequest, 0x44: LDAPSearchResultEntry, 0x45: LDAPSearchResultDone, 0x53: LDAPSearchResultReference, 0x83: LDAPReferral, 0x46: LDAPModifyRequest, 0x47: LDAPModifyResponse, 0x48: LDAPAddRequest, 0x49: LDAPAddResponse, 0x4a: LDAPDelRequest, 0x4b: LDAPDelResponse, 0x57: LDAPExtendedRequest, 0x58: LDAPExtendedResponse, 0x4c: LDAPModifyDNRequest, 0x4d: LDAPModifyDNResponse, 0x50: LDAPAbandonRequest, 0x4e: LDAPCompareRequest, 0x4f: LDAPCompareResponse} fallback=<BERDecoderContext identities={0x02: BERInteger, 0x04: BEROctetString, 0x05: BERNull, 0x01: BERBoolean, 0x0a: BEREnumerated, 0x10: BERSequence, 0x11: BERSet} fallback=None inherit=None> inherit=None> inherit=<LDAPBERDecoderContext identities={0x41: LDAPBindResponse, 0x40: LDAPBindRequest, 0x42: LDAPUnbindRequest, 0x43: LDAPSearchRequest, 0x44: LDAPSearchResultEntry, 0x45: LDAPSearchResultDone, 0x53: LDAPSearchResultReference, 0x83: LDAPReferral, 0x46: LDAPModifyRequest, 0x47: LDAPModifyResponse, 0x48: LDAPAddRequest, 0x49: LDAPAddResponse, 0x4a: LDAPDelRequest, 0x4b: LDAPDelResponse, 0x57: LDAPExtendedRequest, 0x58: LDAPExtendedResponse, 0x4c: LDAPModifyDNRequest, 0x4d: LDAPModifyDNResponse, 0x50: LDAPAbandonRequest, 0x4e: LDAPCompareRequest, 0x4f: LDAPCompareResponse} fallback=<BERDecoderContext identities={0x02: BERInteger, 0x04: BEROctetString, 0x05: BERNull, 0x01: BERBoolean, 0x0a: BEREnumerated, 0x10: BERSequence, 0x11: BERSet} fallback=None inherit=None> inherit=None>>>

and the TCP connection doesn't get closed, which causes the client to never return. (This looks similar to #137).
I tried to debug the code a little bit, it hits the following line in pureber.py:
print(str(UnknownBERTag(i, context))) # TODO
If I add an line afterwards
raise UnknownBERTag(i, context)
the code closes the connection via the general exception handler with a traceback in twisted (not the best solution, but better than now).

Steps to reproduce (tested with Linux Mint 19.3 python 3.6, using ldaptor 19.1.0):

  • start ldapserver.py
  • On commandline start ldapsearch -H ldaps://127.0.0.1:10389 -x
  • The server outputs the line and the command never returns.
    Excecuting the same command (with 'ldaps' address) on an openldap server (also configured nonSSL) it returns immediately with ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) (My hack leads to the same result).

Would be great if you could find a proper solution for this.

Thanks a lot

@OzzieIsaacs OzzieIsaacs changed the title TCP Connection not closed if non SSL ldaptor LDAPServer accecced via SSL TCP Connection not closed if non SSL ldaptor LDAPServer accessed via SSL Apr 12, 2020
@stalaiya
Copy link

I believe I am facing the same issue while working with an AD server with SSL. Everything works fine but keep seeing this error in the logs right after the proxy sends 'LDAPUnbindRequest':

2020-12-12 16:23:46-0500 [LoggingProxy,0,127.0.0.1] S<-C LDAPMessage(id=3, value=LDAPUnbindRequest(), controls=None)
2020-12-12 16:23:46-0500 [-] BERDecoderContext has no tag 0x8a: <LDAPBERDecoderContext_LDAPMessage identities={0x80: LDAPControls, 0x53: LDAPSearchResultReference} fallback=<LDAPBERDecoderContext identities={0x41: LDAPBindResponse, 0x40: LDAPBindRequest, 0x42: LDAPUnbindRequest, 0x43: LDAPSearchRequest, 0x44: LDAPSearchResultEntry, 0x45: LDAPSearchResultDone, 0x53: LDAPSearchResultReference, 0x83: LDAPReferral, 0x46: LDAPModifyRequest, 0x47: LDAPModifyResponse, 0x48: LDAPAddRequest, 0x49: LDAPAddResponse, 0x4a: LDAPDelRequest, 0x4b: LDAPDelResponse, 0x57: LDAPExtendedRequest, 0x58: LDAPExtendedResponse, 0x4c: LDAPModifyDNRequest, 0x4d: LDAPModifyDNResponse, 0x50: LDAPAbandonRequest, 0x4e: LDAPCompareRequest, 0x4f: LDAPCompareResponse} fallback=<BERDecoderContext identities={0x02: BERInteger, 0x04: BEROctetString, 0x05: BERNull, 0x01: BERBoolean, 0x0a: BEREnumerated, 0x10: BERSequence, 0x11: BERSet} fallback=None inherit=None> inherit=None> inherit=<LDAPBERDecoderContext identities={0x41: LDAPBindResponse, 0x40: LDAPBindRequest, 0x42: LDAPUnbindRequest, 0x43: LDAPSearchRequest, 0x44: LDAPSearchResultEntry, 0x45: LDAPSearchResultDone, 0x53: LDAPSearchResultReference, 0x83: LDAPReferral, 0x46: LDAPModifyRequest, 0x47: LDAPModifyResponse, 0x48: LDAPAddRequest, 0x49: LDAPAddResponse, 0x4a: LDAPDelRequest, 0x4b: LDAPDelResponse, 0x57: LDAPExtendedRequest, 0x58: LDAPExtendedResponse, 0x4c: LDAPModifyDNRequest, 0x4d: LDAPModifyDNResponse, 0x50: LDAPAbandonRequest, 0x4e: LDAPCompareRequest, 0x4f: LDAPCompareResponse} fallback=<BERDecoderContext identities={0x02: BERInteger, 0x04: BEROctetString, 0x05: BERNull, 0x01: BERBoolean, 0x0a: BEREnumerated, 0x10: BERSequence, 0x11: BERSet} fallback=None inherit=None> inherit=None>>
2020-12-12 16:23:46-0500 [LDAPClient (TLSMemoryBIOProtocol),client] Got unsolicited notification: LDAPExtendedResponse(resultCode=52, errorMessage='00000003: LdapErr: DSID-0C060607, comment: Error decrypting ldap message, data 0, v3839\x00')

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants