Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Release 0.18.0 prevents connection when verify_mode is set to OpenSSL::SSL::VERIFY_PEER #418

Open
jpwilksch opened this issue Jul 7, 2023 · 1 comment

Comments

@jpwilksch
Copy link

net-ldap version 0.18.0
LDAP server version: Windows Active Directory (unsure of specific version)
OpenSSL version: OpenSSL 1.0.2k-fips 26 Jan 2017

I upgraded from net-ldap v0.17.1 to 0.18.0 to find our Rails app could no longer connect to our LDAP server:

[FATAL] Net::LDAP::ConnectionError (Unable to connect to any given server: 
17:45:24 web.1       |   OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 peeraddr=192.168.162.22:636 state=error: certificate verify failed (Hostname mismatch) (host1.ourdomain.com:636)
17:45:24 web.1       |   OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 peeraddr=192.168.163.22:636 state=error: certificate verify failed (Hostname mismatch) (host2.ourdomain.com:636)
17:45:24 web.1       |   OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 peeraddr=192.168.161.22:636 state=error: certificate verify failed (Hostname mismatch) (host3.ourdomain.com:636)):

Our (unchanged) LDAP configuration uses an array of hosts, like this:

  hosts: [['host1.ourdomain.com', 636], ['host2.ourdomain.com', 636], ['host3.ourdomain.com', 636]],
  connect_timeout: 2,
  encryption: {
    method: :simple_tls,
    tls_options: {
      ca_file: '/etc/pki/tls/certs/our-ca-chain.pem',
      verify_mode: OpenSSL::SSL::VERIFY_PEER
    }
  },

Investigation showed the certificate CN of each host did actually match its hostname. It also showed the application was able to connect to each of these hosts when configured directly as a single server:

  host: 'host1.ourdomain.com',
  port: 636,

Other workarounds I identified:

  • Setting verify_mode=OpenSSL::SSL::VERIFY_NONE, though this is not recommended
  • Reverting net-ldap to v0.17.1
@alexjfisher
Copy link
Contributor

I think this should be fixed in #417

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants