Add prototype for STARTTLS+ LDAP via sockets

See #1258

To do:
* more robustness. At least the success value from the response need to be retrieved and checked via starttls_io().
* double check the pre-handshake before the OID whether it's correct for every case
* documentation
* inline help

It seems to work though against db.debian.org
This commit is contained in:
Dirk Wetter 2022-01-24 16:49:03 +01:00 committed by Dirk
parent 4b973f242a
commit 6bd0d9eba0

View File

@ -11094,6 +11094,29 @@ starttls_postgres_dialog() {
return $ret return $ret
} }
# RFC 2830
starttls_ldap_dialog() {
local debugpad=" > "
local -i ret=0
local starttls_init=",
x30, x1d, x02, x01, # LDAP extendedReq
x01, # messageID: 1
x77, x18, x80, x16, x31, x2e, x33, x2e, x36, x2e, # ProtocolOP: extendedReq
x31, x2e, x34, x2e, x31, x2e, x31, x34, x36, x36, x2e, x32, x30, x30, x33, x37" # OID for STATRTTLS = "1.3.6.1.4.1.1466.20037"
debugme echo "=== starting LDAP STARTTLS dialog ==="
socksend "${starttls_init}" 0 && debugme echo "${debugpad}initiated STARTTLS" &&
starttls_just_read 1 "read succeeded"
# response is typically 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00
# ^^ == success! That [9] should be checked also!
ret=$?
debugme echo "=== finished LDAP STARTTLS dialog with ${ret} ==="
return $ret
}
starttls_mysql_dialog() { starttls_mysql_dialog() {
local debugpad=" > " local debugpad=" > "
local -i ret=0 local -i ret=0
@ -11214,8 +11237,10 @@ fd_socket() {
irc|ircs) # IRC, https://ircv3.net/specs/extensions/tls-3.1.html, https://ircv3.net/specs/core/capability-negotiation.html irc|ircs) # IRC, https://ircv3.net/specs/extensions/tls-3.1.html, https://ircv3.net/specs/core/capability-negotiation.html
fatal "FIXME: IRC+STARTTLS not yet supported" $ERR_NOSUPPORT fatal "FIXME: IRC+STARTTLS not yet supported" $ERR_NOSUPPORT
;; ;;
ldap|ldaps) # LDAP, https://tools.ietf.org/html/rfc2830, https://tools.ietf.org/html/rfc4511 ldap|ldaps) # LDAP, https://tools.ietf.org/html/rfc2830#section-2.1, https://tools.ietf.org/html/rfc4511
fatal "FIXME: LDAP+STARTTLS over sockets not supported yet (try \"--ssl-native\")" $ERR_NOSUPPORT # https://ldap.com/ldapv3-wire-protocol-reference-extended/
#fatal "FIXME: LDAP+STARTTLS over sockets not supported yet (try \"--ssl-native\")" $ERR_NOSUPPORT
starttls_ldap_dialog
;; ;;
acap|acaps) # ACAP = Application Configuration Access Protocol, see https://tools.ietf.org/html/rfc2595 acap|acaps) # ACAP = Application Configuration Access Protocol, see https://tools.ietf.org/html/rfc2595
fatal "ACAP Easteregg: not implemented -- probably never will" $ERR_NOSUPPORT fatal "ACAP Easteregg: not implemented -- probably never will" $ERR_NOSUPPORT
@ -11231,7 +11256,7 @@ fd_socket() {
starttls_mysql_dialog starttls_mysql_dialog
;; ;;
*) # we need to throw an error here -- otherwise testssl.sh treats the STARTTLS protocol as plain SSL/TLS which leads to FP *) # we need to throw an error here -- otherwise testssl.sh treats the STARTTLS protocol as plain SSL/TLS which leads to FP
fatal "FIXME: STARTTLS protocol $STARTTLS_PROTOCOL is not yet supported" $ERR_NOSUPPORT fatal "FIXME: STARTTLS protocol $STARTTLS_PROTOCOL is not supported yet" $ERR_NOSUPPORT
esac esac
ret=$? ret=$?
case $ret in case $ret in