Bug 39479 - allow only SAML servers to connect to memcached server
allow only SAML servers to connect to memcached server
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: SAML
UCS 4.1
Other Linux
: P5 normal (vote)
: UCS 4.1
Assigned To: Erik Damrose
Stefan Gohmann
http://upstream.rosalinux.ru/versions...
: interim-2
Depends on: 39399 39500
Blocks: 39621
  Show dependency treegraph
 
Reported: 2015-10-06 11:39 CEST by Florian Best
Modified: 2015-11-17 12:11 CET (History)
4 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments
patch (695 bytes, patch)
2015-10-28 17:36 CET, Florian Best
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Best univentionstaff 2015-10-06 11:39:11 CEST
We need to exclude non-trusted hosts from making a SSL connection to the memcached daemon.
stunnel provides the option "checkHost" for this, but this is only available in stunnel 5.18 in combination with OpenSSL 1.0.2 (both available in stretch).

+++ This bug was initially created as a clone of Bug #39399 +++
Comment 1 Arvid Requate univentionstaff 2015-10-07 12:39:39 CEST
Regarding the question compatibility between 1.0.1e-2+deb7u17 and 1.0.2d-1 (not 1.0.2d-2 from experimental!):

Quoting https://www.openssl.org/policies/releasestrat.html:
=======================================================================
Letter releases, such as 1.0.1a, exclusively contain bug and security fixes and no new features. Minor releases that change the last digit, e.g. 1.0.1 vs. 1.0.2, can and are likely to contain new features, but in a way that does not break binary compatibility. This means that an application compiled and dynamically linked with 1.0.0 does not need to be recompiled when the shared library is updated to 1.0.2. It should be noted that some features are transparent to the application such as the maximum negotiated TLS version and cipher suites, performance improvements and so on. There is no need to recompile applications to benefit from these features.
=======================================================================

See also URL for a independent compatibility analysis based on code analysis.
Comment 2 Stefan Gohmann univentionstaff 2015-10-08 14:14:21 CEST
(In reply to Arvid Requate from comment #1)
> Regarding the question compatibility between 1.0.1e-2+deb7u17 and 1.0.2d-1
> (not 1.0.2d-2 from experimental!):

Thanks, I've split the OpenSSL upgrade to Bug #39500.
Comment 3 Florian Best univentionstaff 2015-10-14 19:15:47 CEST
Hmm, building stunnel4 failed due to a missing build-depdendency:
Depends: libsystemd-dev which is a virtual package.

The package doesn't exist in wheezy.
https://packages.debian.org/stretch/libsystemd-dev

stunnel4 also has a dependency on:
https://packages.debian.org/de/stretch/libsystemd0
Comment 4 Arvid Requate univentionstaff 2015-10-14 20:29:59 CEST
Quoting from the changelog:

    - add a build dependency on libsystemd-dev for the systemd socket
      activation support

Since debian/rules doesn't explicitly pass --enable-systemd to configure I guess you may simply remove the (build-)dependency and configure autoprobe will skip it.
Comment 5 Florian Best univentionstaff 2015-10-14 21:10:59 CEST
(In reply to Arvid Requate from comment #4)
Oh, thank you very much for finding this!
Comment 6 Erik Damrose univentionstaff 2015-10-22 16:01:49 CEST
r15373 Fix build deps for UCS; stunnel4 3:5.18-1.13.201510221328

r64765
* Allow only SAML services to connect to stunnel
* Reordered stunnel/univention_saml.conf options to prevent warning
* Added UCRV stunnel/debuglevel with default=4 to reduce logfile spam
* Added univention-saml restart to idp-server listener

univention-saml 3.0.24-6.79.201510221556

r64767 Changelog
Comment 7 Stefan Gohmann univentionstaff 2015-10-23 06:20:38 CEST
> * Added univention-saml restart to idp-server listener

Jenkins found a traceback, fixed with r64789.

http://jenkins.knut.univention.de:8080/job/UCS-4.1/job/UCS-4.1-0/job/Autotest%20MultiEnv/73/SambaVersion=s4,Systemrolle=member/testReport/00_checks/99check_log_files/test/
Comment 8 Erik Damrose univentionstaff 2015-10-23 16:28:06 CEST
Reopen: During an initial backup join the saml specific SSL certificates are not yet available while the u-d-listener is initialized, resulting in the following error while restarting univention-saml:

[!] error queue: 140DC002: error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib
[!] error queue: 20074002: error:20074002:BIO routines:FILE_CTRL:system lib
[!] SSL_CTX_use_certificate_chain_file: 2001002: error:02001002:system library:fopen:No such file or directory
[!] Service [memcached]: Failed to initialize SSL context

-> Adapt the univention-saml-servers.py listener to only restart univention-saml if the certificate is available.
Comment 9 Erik Damrose univentionstaff 2015-10-26 12:02:57 CET
(In reply to Erik Damrose from comment #8)
> -> Adapt the univention-saml-servers.py listener to only restart
> univention-saml if the certificate is available.

r64844 univention-saml 3.0.24-10.83.201510261201
Comment 10 Stefan Gohmann univentionstaff 2015-10-27 05:58:42 CET
Please have a look here:

[2015-10-26 19:24:52.012316]Errors found in '/var/log/univention/join.log':
[2015-10-26 19:24:52.012350]
[2015-10-26 19:24:52.012655] E: join.log:92, Traceback (most recent call last):
[2015-10-26 19:24:52.012672]  File "/usr/lib/univention-directory-listener/system/univention-saml-servers.py", line 67, in handler
[2015-10-26 19:24:52.012684]    if os.path.exists(path_to_cert) and os.path.exists(path_to_key):
[2015-10-26 19:24:52.012693]  File "/usr/lib/python2.7/genericpath.py", line 18, in exists
[2015-10-26 19:24:52.012700]    os.stat(path)
[2015-10-26 19:24:52.012709]TypeError: coercing to Unicode: need string or buffer, NoneType found

http://jenkins.knut.univention.de:8080/job/UCS-4.1/job/UCS-4.1-0/job/Autotest%20MultiEnv/SambaVersion=s3,Systemrolle=member/79/testReport/junit/00_checks/99check_log_files/test/
Comment 11 Stefan Gohmann univentionstaff 2015-10-27 06:20:56 CET
(In reply to Stefan Gohmann from comment #10)
> [2015-10-26 19:24:52.012316]Errors found in '/var/log/univention/join.log':
> [2015-10-26 19:24:52.012350]
> [2015-10-26 19:24:52.012655] E: join.log:92, Traceback (most recent call
> last):
> [2015-10-26 19:24:52.012672]  File
> "/usr/lib/univention-directory-listener/system/univention-saml-servers.py",
> line 67, in handler
> [2015-10-26 19:24:52.012684]    if os.path.exists(path_to_cert) and
> os.path.exists(path_to_key):
> [2015-10-26 19:24:52.012693]  File "/usr/lib/python2.7/genericpath.py", line
> 18, in exists
> [2015-10-26 19:24:52.012700]    os.stat(path)
> [2015-10-26 19:24:52.012709]TypeError: coercing to Unicode: need string or
> buffer, NoneType found

Simple fix: r64878
Comment 12 Jürn Brodersen univentionstaff 2015-10-27 14:44:26 CET
No connection from the master to the backup is possible anymore:

Oct 23 01:57:45 ucs-2284 univention-saml-stunnel: LOG3[144]: SSL_connect: 14094416: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown
Oct 23 01:57:45 ucs-2284 simplesamlphp[14111]: 3 [9a01ed7356] SimpleSAML_Error_Exception: Error 8 - MemcachePool::get(): Server unix:///var/run/univention-saml/ucs-2192.univention.intranet.socket (tcp 0, udp 0) failed with: Read failed (socket was unexpectedly closed) (0)
Oct 23 01:57:45 ucs-2284 simplesamlphp[14111]: 3 [9a01ed7356] Backtrace:
Oct 23 01:57:45 ucs-2284 simplesamlphp[14111]: 3 [9a01ed7356] 9 /usr/share/simplesamlphp/www/_include.php:70 (SimpleSAML_error_handler)
Oct 23 01:57:45 ucs-2284 simplesamlphp[14111]: 3 [9a01ed7356] 8 [builtin] (MemcachePool::get)
Oct 23 01:57:45 ucs-2284 simplesamlphp[14111]: 3 [9a01ed7356] 7 /usr/share/simplesamlphp/lib/SimpleSAML/Memcache.php:41 (SimpleSAML_Memcache::get)
Oct 23 01:57:45 ucs-2284 simplesamlphp[14111]: 3 [9a01ed7356] 6 /usr/share/simplesamlphp/lib/SimpleSAML/Store/Memcache.php:28 (SimpleSAML_Store_Memcache::get)
Oct 23 01:57:45 ucs-2284 simplesamlphp[14111]: 3 [9a01ed7356] 5 /usr/share/simplesamlphp/lib/SimpleSAML/SessionHandlerStore.php:38 (SimpleSAML_SessionHandlerStore::loadSession)
Oct 23 01:57:45 ucs-2284 simplesamlphp[14111]: 3 [9a01ed7356] 4 /usr/share/simplesamlphp/lib/SimpleSAML/Session.php:1104 (SimpleSAML_Session::getSession)
Oct 23 01:57:45 ucs-2284 simplesamlphp[14111]: 3 [9a01ed7356] 3 /usr/share/simplesamlphp/lib/SimpleSAML/Session.php:221 (SimpleSAML_Session::getSessionFromRequest)
Oct 23 01:57:45 ucs-2284 simplesamlphp[14111]: 3 [9a01ed7356] 2 /usr/share/simplesamlphp/lib/SimpleSAML/Auth/State.php:215 (SimpleSAML_Auth_State::loadState)
Oct 23 01:57:45 ucs-2284 simplesamlphp[14111]: 3 [9a01ed7356] 1 /usr/share/simplesamlphp/modules/core/www/loginuserpass.php:24 (require)
Oct 23 01:57:45 ucs-2284 simplesamlphp[14111]: 3 [9a01ed7356] 0 /usr/share/simplesamlphp/www/module.php:134 (N/A)


socat unix-connect:/var/run/univention-saml/ucs-2192.univention.intranet.socket stdin → doesn't connect
Comment 13 Florian Best univentionstaff 2015-10-27 15:44:25 CET
The restart of univention-saml causes that every session is removed as memcached stores sessions only in RAM. This is probably not good as all currently logged in users gets logged out when joining a DC backup.
Comment 14 Erik Damrose univentionstaff 2015-10-28 12:14:39 CET
(In reply to Florian Best from comment #13)
> The restart of univention-saml causes that every session is removed as
> memcached stores sessions only in RAM. This is probably not good as all
> currently logged in users gets logged out when joining a DC backup.

This is to be expected. If one restarts umc, the session is also lost. The automatic restart happens only if the univentionService entry 'univention-saml' is added or removed from a host - which is not going to happen that often. If this is a real issue we should open a new bug.

stunnel configuration fixed in r64915 univention-saml 3.0.24-13.86.201510280958

After updating to 4.1 a reboot is currently required: Bug #39646
Comment 15 Florian Best univentionstaff 2015-10-28 17:36:24 CET
We should also protect the local client sockets: they should verify the connection and also check the host.
Comment 16 Florian Best univentionstaff 2015-10-28 17:36:47 CET
Created attachment 7230 [details]
patch
Comment 17 Erik Damrose univentionstaff 2015-10-29 12:02:54 CET
Fixed with slightly adapted patch
r64968 univention-saml 3.0.25-6.92.201510291201
Comment 18 Stefan Gohmann univentionstaff 2015-10-31 11:59:22 CET
OK, it works. A connection via 

openssl s_client -connect $ldap_master:11212 -cert /etc/univention/ssl/backup442.$domainname/cert.pem -key /etc/univention/ssl/backup442.$domainname/private.key

or 

openssl s_client -connect $ldap_master:11212 -cert /etc/univention/ssl/slave444.$domainname/cert.pem -key /etc/univention/ssl/slave444.$domainname/private.key 

is not possible.

A connection via:

openssl s_client -connect $ldap_master:11212 -cert /etc/univention/ssl/ucs-sso.$domainname/cert.pem -key /etc/univention/ssl/ucs-sso.$domainname/private.key

is possible.

Changelog: OK
Comment 19 Stefan Gohmann univentionstaff 2015-11-17 12:11:28 CET
UCS 4.1 has been released:
 https://docs.software-univention.de/release-notes-4.1-0-en.html
 https://docs.software-univention.de/release-notes-4.1-0-de.html

If this error occurs again, please use "Clone This Bug".