kvspb/nginx-auth-ldap

ldaps enalbe but check certificate subject alternative name of server certificate failed in ip format

Opened this issue · 0 comments

kaoriakana commented

Hi! I tried the ldaps test with my ldaps server(compiled from openldap source code) and nginx with nginx-auth-ldap module.
I tried the ldap configureation in nginx.conf. The test is good.
I tried the ldaps configuration with url in domain name. The test is also good.
But if I changed the ldaps configuration with url in ip formate. The test is always failed.

my nginx.conf about ldaps server url part
url ldaps://192.168.0.133:636/dc=ipcamera,dc=com?uid?sub?(objectClass=*);

The following is of san in my server certificat.
X509v3 Subject Alternative Name:
DNS:green-3kl.com, IP Address:192.168.0.133

I traced the code.
I found maybe something wrong in function ngx_http_auth_ldap_ssl_handshake_handler().
There is one line in the function.

addr_verified = X509_check_ip(cert, (const unsigned char*)conn_sockaddr->sa_data, len, 0);

The return value of addr_verified seems always 0.
It makes the following if statement ,
if ( !(cert && addr_verified && chain_verified == X509_V_OK) )
alwsys get error message.

I think
addr_verified = X509_check_ip(cert, (const unsigned char*)conn_sockaddr->sa_data, len, 0);
may cause something wrong.

x509_check_ip() will comapre cert's san name and the conn_sockaddr->sa_data,
to make sure the certificate is really for the ldaps server.

but type of conn_sockaddr is "struct socaddr"
The beginning of sockaddr->sa_data seems not ip address.
That's why always comparing result is different.

I think
addr_verified = X509_check_ip(cert, (const unsigned char*)conn_sockaddr->sa_data, len, 0);
should change to

struct sockaddr_in *addr_in = (struct sockaddr_in *)conn_sockaddr;
const unsigned char *ip_addr = (const unsigned char *)&addr_in->sin_addr;
addr_verified = X509_check_ip(cert, ip_addr, len, 0);

or
addr_verified = X509_check_ip(cert, (const unsigned char*)conn_sockaddr->sa_data+2, len, 0);
because the ip address with 2 bytes shift from sa_data[0]

I am the new comer. Is there any one can double confirm my question?