Learn more about these different git repos.
Other Git URLs
https://bugzilla.redhat.com/show_bug.cgi?id=849081 (Red Hat Enterprise Linux 6)
Description of problem: SSSD does not close TCP connections if SSL fails, for example, if I use ldaps://10.65.211.123 as the ldap_uri, SSL failes with error "hostname does not match CN in peer certificate" however SSSD does not attempt to close the established connection, and for the next request SSSD opens a new connection.. this is repeated until the ldap server run out of available ports/fds. Version-Release number of selected component (if applicable): sssd-1.8.0-32.el6 How reproducible: Always. Steps to Reproduce: 1. Setup an ldap server with SSL 2. Copy the CA certificate to Client 3. Configure SSSD with ldap_uri=ldaps://ip.address or a hostname(short) which does not match the CN in the certificate. Actual results: SSSD fails to connect to ldap server due to CN mismatch, sssd does not close the existing connection and open new on next request. Expected results: SSSD fails to connect to ldap server due to CN mismatch, it closes the existing connection Additional info: This could cause DOS on ldap server, especially if the client is configured with 'enumerate=true'. I have not notice the issue with start_tls ( ldap_uri ldap:// & use secure connection for id look-up set).
Fields changed
blockedby: => blocking: => coverity: => feature_milestone: => owner: somebody => pbrezina patch: 0 => 1 status: new => assigned tests: => 0 testsupdated: => 0 upgrade: => 0
This was fixed in d8fbc52
I'll leave the ticket open until our weekly meeting so that the associated bugzilla is triaged.
milestone: NEEDS_TRIAGE => SSSD 1.9.0 beta 7
resolution: => fixed status: assigned => closed
Metadata Update from @jhrozek: - Issue assigned to pbrezina - Issue set to the milestone: SSSD 1.9.0 beta 7
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/2532
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.