Bug#740162: mod_authnz_ldap: no error.log feedback about LDAP TLS issues such as cert expiry, cipher mismatch, etc
Package: apache2.2-bin
Version: 2.2.22-13+deb7u1
Apache is authenticating users against an LDAP server.
An ldaps:// URL is used, e.g.
AuthLDAPURL "ldaps://ldap.example.org/dc=example,dc=org"
When the LDAP server SSL cert expires, access to the protected URLs
fails with 500 "Internal Server Error" and tells the user to check the
server's error log
There is nothing in error.log to indicate that the fault is with LDAP or
TLS - nothing in error.log at all. For this situation, there should be
an error log entry complaining that the LDAP server certificate is expired.
After updating the cert and restarting slapd it is still not working
though and there is still nothing in error.log
tcpdump shows that there are attempts to contact the LDAP server. The
client hello packet is sent to the server using SSL 3.0 and there is no
response, the server just drops the connection.
Connecting to the server with openssl s_client works as expected and the
cert is verified.
Looking more closely, I found that
a) the new LDAP server certificate was signed with SHA512
b) libgnutls26 seems to have bugs with that (see also Debian bug 740160)
c) in this case, there is little that mod_authnz_ldap can do but it
would still be very helpful if it logged something to error.log to say
that the LDAP server unexpectedly dropped the connection during the TLS
handshake
Just to clarify, when I originally saw the "Internal Server Error" I had
no idea it was even an LDAP issue - my first thought was that the fault
was in the CGI script I was trying to access and I started trying to
debug the script. This is why I think there should be logging about
these TLS issues.
Reply to: