Univention Bugzilla – Bug 39479
allow only SAML servers to connect to memcached server
Last modified: 2015-11-17 12:11:28 CET
We need to exclude non-trusted hosts from making a SSL connection to the memcached daemon. stunnel provides the option "checkHost" for this, but this is only available in stunnel 5.18 in combination with OpenSSL 1.0.2 (both available in stretch). +++ This bug was initially created as a clone of Bug #39399 +++
Regarding the question compatibility between 1.0.1e-2+deb7u17 and 1.0.2d-1 (not 1.0.2d-2 from experimental!): Quoting https://www.openssl.org/policies/releasestrat.html: ======================================================================= Letter releases, such as 1.0.1a, exclusively contain bug and security fixes and no new features. Minor releases that change the last digit, e.g. 1.0.1 vs. 1.0.2, can and are likely to contain new features, but in a way that does not break binary compatibility. This means that an application compiled and dynamically linked with 1.0.0 does not need to be recompiled when the shared library is updated to 1.0.2. It should be noted that some features are transparent to the application such as the maximum negotiated TLS version and cipher suites, performance improvements and so on. There is no need to recompile applications to benefit from these features. ======================================================================= See also URL for a independent compatibility analysis based on code analysis.
(In reply to Arvid Requate from comment #1) > Regarding the question compatibility between 1.0.1e-2+deb7u17 and 1.0.2d-1 > (not 1.0.2d-2 from experimental!): Thanks, I've split the OpenSSL upgrade to Bug #39500.
Hmm, building stunnel4 failed due to a missing build-depdendency: Depends: libsystemd-dev which is a virtual package. The package doesn't exist in wheezy. https://packages.debian.org/stretch/libsystemd-dev stunnel4 also has a dependency on: https://packages.debian.org/de/stretch/libsystemd0
Quoting from the changelog: - add a build dependency on libsystemd-dev for the systemd socket activation support Since debian/rules doesn't explicitly pass --enable-systemd to configure I guess you may simply remove the (build-)dependency and configure autoprobe will skip it.
(In reply to Arvid Requate from comment #4) Oh, thank you very much for finding this!
r15373 Fix build deps for UCS; stunnel4 3:5.18-1.13.201510221328 r64765 * Allow only SAML services to connect to stunnel * Reordered stunnel/univention_saml.conf options to prevent warning * Added UCRV stunnel/debuglevel with default=4 to reduce logfile spam * Added univention-saml restart to idp-server listener univention-saml 3.0.24-6.79.201510221556 r64767 Changelog
> * Added univention-saml restart to idp-server listener Jenkins found a traceback, fixed with r64789. http://jenkins.knut.univention.de:8080/job/UCS-4.1/job/UCS-4.1-0/job/Autotest%20MultiEnv/73/SambaVersion=s4,Systemrolle=member/testReport/00_checks/99check_log_files/test/
Reopen: During an initial backup join the saml specific SSL certificates are not yet available while the u-d-listener is initialized, resulting in the following error while restarting univention-saml: [!] error queue: 140DC002: error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib [!] error queue: 20074002: error:20074002:BIO routines:FILE_CTRL:system lib [!] SSL_CTX_use_certificate_chain_file: 2001002: error:02001002:system library:fopen:No such file or directory [!] Service [memcached]: Failed to initialize SSL context -> Adapt the univention-saml-servers.py listener to only restart univention-saml if the certificate is available.
(In reply to Erik Damrose from comment #8) > -> Adapt the univention-saml-servers.py listener to only restart > univention-saml if the certificate is available. r64844 univention-saml 3.0.24-10.83.201510261201
Please have a look here: [2015-10-26 19:24:52.012316]Errors found in '/var/log/univention/join.log': [2015-10-26 19:24:52.012350] [2015-10-26 19:24:52.012655] E: join.log:92, Traceback (most recent call last): [2015-10-26 19:24:52.012672] File "/usr/lib/univention-directory-listener/system/univention-saml-servers.py", line 67, in handler [2015-10-26 19:24:52.012684] if os.path.exists(path_to_cert) and os.path.exists(path_to_key): [2015-10-26 19:24:52.012693] File "/usr/lib/python2.7/genericpath.py", line 18, in exists [2015-10-26 19:24:52.012700] os.stat(path) [2015-10-26 19:24:52.012709]TypeError: coercing to Unicode: need string or buffer, NoneType found http://jenkins.knut.univention.de:8080/job/UCS-4.1/job/UCS-4.1-0/job/Autotest%20MultiEnv/SambaVersion=s3,Systemrolle=member/79/testReport/junit/00_checks/99check_log_files/test/
(In reply to Stefan Gohmann from comment #10) > [2015-10-26 19:24:52.012316]Errors found in '/var/log/univention/join.log': > [2015-10-26 19:24:52.012350] > [2015-10-26 19:24:52.012655] E: join.log:92, Traceback (most recent call > last): > [2015-10-26 19:24:52.012672] File > "/usr/lib/univention-directory-listener/system/univention-saml-servers.py", > line 67, in handler > [2015-10-26 19:24:52.012684] if os.path.exists(path_to_cert) and > os.path.exists(path_to_key): > [2015-10-26 19:24:52.012693] File "/usr/lib/python2.7/genericpath.py", line > 18, in exists > [2015-10-26 19:24:52.012700] os.stat(path) > [2015-10-26 19:24:52.012709]TypeError: coercing to Unicode: need string or > buffer, NoneType found Simple fix: r64878
No connection from the master to the backup is possible anymore: Oct 23 01:57:45 ucs-2284 univention-saml-stunnel: LOG3[144]: SSL_connect: 14094416: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown Oct 23 01:57:45 ucs-2284 simplesamlphp[14111]: 3 [9a01ed7356] SimpleSAML_Error_Exception: Error 8 - MemcachePool::get(): Server unix:///var/run/univention-saml/ucs-2192.univention.intranet.socket (tcp 0, udp 0) failed with: Read failed (socket was unexpectedly closed) (0) Oct 23 01:57:45 ucs-2284 simplesamlphp[14111]: 3 [9a01ed7356] Backtrace: Oct 23 01:57:45 ucs-2284 simplesamlphp[14111]: 3 [9a01ed7356] 9 /usr/share/simplesamlphp/www/_include.php:70 (SimpleSAML_error_handler) Oct 23 01:57:45 ucs-2284 simplesamlphp[14111]: 3 [9a01ed7356] 8 [builtin] (MemcachePool::get) Oct 23 01:57:45 ucs-2284 simplesamlphp[14111]: 3 [9a01ed7356] 7 /usr/share/simplesamlphp/lib/SimpleSAML/Memcache.php:41 (SimpleSAML_Memcache::get) Oct 23 01:57:45 ucs-2284 simplesamlphp[14111]: 3 [9a01ed7356] 6 /usr/share/simplesamlphp/lib/SimpleSAML/Store/Memcache.php:28 (SimpleSAML_Store_Memcache::get) Oct 23 01:57:45 ucs-2284 simplesamlphp[14111]: 3 [9a01ed7356] 5 /usr/share/simplesamlphp/lib/SimpleSAML/SessionHandlerStore.php:38 (SimpleSAML_SessionHandlerStore::loadSession) Oct 23 01:57:45 ucs-2284 simplesamlphp[14111]: 3 [9a01ed7356] 4 /usr/share/simplesamlphp/lib/SimpleSAML/Session.php:1104 (SimpleSAML_Session::getSession) Oct 23 01:57:45 ucs-2284 simplesamlphp[14111]: 3 [9a01ed7356] 3 /usr/share/simplesamlphp/lib/SimpleSAML/Session.php:221 (SimpleSAML_Session::getSessionFromRequest) Oct 23 01:57:45 ucs-2284 simplesamlphp[14111]: 3 [9a01ed7356] 2 /usr/share/simplesamlphp/lib/SimpleSAML/Auth/State.php:215 (SimpleSAML_Auth_State::loadState) Oct 23 01:57:45 ucs-2284 simplesamlphp[14111]: 3 [9a01ed7356] 1 /usr/share/simplesamlphp/modules/core/www/loginuserpass.php:24 (require) Oct 23 01:57:45 ucs-2284 simplesamlphp[14111]: 3 [9a01ed7356] 0 /usr/share/simplesamlphp/www/module.php:134 (N/A) socat unix-connect:/var/run/univention-saml/ucs-2192.univention.intranet.socket stdin → doesn't connect
The restart of univention-saml causes that every session is removed as memcached stores sessions only in RAM. This is probably not good as all currently logged in users gets logged out when joining a DC backup.
(In reply to Florian Best from comment #13) > The restart of univention-saml causes that every session is removed as > memcached stores sessions only in RAM. This is probably not good as all > currently logged in users gets logged out when joining a DC backup. This is to be expected. If one restarts umc, the session is also lost. The automatic restart happens only if the univentionService entry 'univention-saml' is added or removed from a host - which is not going to happen that often. If this is a real issue we should open a new bug. stunnel configuration fixed in r64915 univention-saml 3.0.24-13.86.201510280958 After updating to 4.1 a reboot is currently required: Bug #39646
We should also protect the local client sockets: they should verify the connection and also check the host.
Created attachment 7230 [details] patch
Fixed with slightly adapted patch r64968 univention-saml 3.0.25-6.92.201510291201
OK, it works. A connection via openssl s_client -connect $ldap_master:11212 -cert /etc/univention/ssl/backup442.$domainname/cert.pem -key /etc/univention/ssl/backup442.$domainname/private.key or openssl s_client -connect $ldap_master:11212 -cert /etc/univention/ssl/slave444.$domainname/cert.pem -key /etc/univention/ssl/slave444.$domainname/private.key is not possible. A connection via: openssl s_client -connect $ldap_master:11212 -cert /etc/univention/ssl/ucs-sso.$domainname/cert.pem -key /etc/univention/ssl/ucs-sso.$domainname/private.key is possible. Changelog: OK
UCS 4.1 has been released: https://docs.software-univention.de/release-notes-4.1-0-en.html https://docs.software-univention.de/release-notes-4.1-0-de.html If this error occurs again, please use "Clone This Bug".