Bug#1070033: libgnutls30: rejects numeric IPv6 addresses during connection

Elliott Mitchell ehem+debian at m5p.com
Tue Apr 30 06:22:15 BST 2024 

On Tue, Apr 30, 2024 at 05:55:15AM +0200, Andreas Metzler wrote:
> On 2024-04-29 Elliott Mitchell <ehem+debian at m5p.com> wrote:
> > Package: libgnutls30
> > Version: 3.7.9-2+deb12u2
> > Severity: important
> 
> > Long story to finding this one.  Trying to get LDAP setup on this
> > network.  As a recent deployment it seemed appropriate to use IPv6.
> 
> > From `nslcd` on clients I was getting the message:
> > nslcd[12345]: [1a2b3c] <group/member="root"> failed to bind to LDAP server ldaps://[fd12:3456:7890:abcd::3]/: Can't contact LDAP server: The TLS connection was non-properly terminated.: Resource temporarily unavailable
> 
> > Running `nslcd` in debug mode failed to yield any additional useful
> > information.
> 
> > Once I finally figured out `slapd`'s debug mode ('-h ldaps:/// ldapi:///'
> > is two arguments, the ldaps and ldapi are a single argument).  I got
> > traces from `slapd`: (serial numbers filed off)
> 
> > tls_read: want=5, got=5
> >   0000:  16 03 01 01 8f
> 
> > tls_read: want=399, got=399
> >   0160:    ............fd12  
> >   0170:    :3456:7890:abcd:  
> >   0180:    :3.-......... at .   
> > TLS: can't accept: A disallowed SNI server name has been received..
> > connection_read(13): TLS accept failure error=-1 id=1005, closing
> 
> > Further tracing of the error message appears to point to the function
> > `_gnutls_dnsname_is_valid()` in gnutls/lib/str.h.  Seems libgnutls30 is
> > incompatible with numeric IPv6 addresses.
> 
> > While IPv6-only hosts are presently uncommon, there is now quite a bit of
> > IPv6 traffic in many places.  I think this is worthy of having a severity
> > of "critical" as "bookworm" may remain as "stable" past when there is
> > more IPv6 traffic than IPv4 traffic.  For "trixie" this seems very
> > likely.
> [...]
> 
> Good morning,
> 
> I guess you used the IPv6 address as either CN or Subject Alternative
> Name. Both take names, not IP addresses. There is a different field for
> IP addresses.
> 
> gnutls-cli --port 636 fd12:3456:7890:abcd::3 
> 
> will probably give more info.
> 
> FWIW I have just generated a local test certificate with "IPAddress:"
> set to '::1' and things work for me as expected.

Hmm, `gnutls-cli --port ldaps` gave a different result.  The connection
successfully established and I was left being able to type to `slapd`.

Unfortunately that causes there to be 3 packages which could be the one
responsible for the problem.  Could be libgnutls30 as I originally
suspected.  Yet `slapd` and `nslcd` could also be responsible for the
problem.

The string "A disallowed SNI server name has been received." is found in
`libgnutls.so.30`.

The string "connection_read(%d): input error=%d id=%lu, closing." is
found in `/usr/sbin/slapd`.

Anything further is purely guesswork.


-- 
(\___(\___(\______          --=> 8-) EHM <=--          ______/)___/)___/)
 \BS (    |         ehem+sigmsg at m5p.com  PGP 87145445         |    )   /
  \_CS\   |  _____  -O #include <stddisclaimer.h> O-   _____  |   /  _/
8A19\___\_|_/58D2 7E3D DDF4 7BA6 <-PGP-> 41D1 B375 37D0 8714\_|_/___/5445

More information about the Pkg-gnutls-maint mailing list