- Notifications
You must be signed in to change notification settings - Fork8k
Closed
Description
Description
The following code:
<?phpldap_set_option(NULL,LDAP_OPT_DEBUG_LEVEL,7);$connection =ldap_connect('ldap://ldap.mydomain.mytld');ldap_start_tls($connection);?>
using an ldaprc file like
TLS_REQCERT demandTLS_REQSAN demandTLS_CACERT /path/to/my/ca-bundle.crtResulted in this output (using 8.4.7):
...TLS certificate verification: depth: 2, err: 19, subject: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root G2, issuer: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root G2TLS certificate verification: Error, self-signed certificate in certificate chainTLS trace: SSL3 alert write:fatal:unknown CATLS trace: SSL_connect:error in errorTLS: can't connect: error:0A000086:SSL routines::certificate verify failed (self-signed certificate in certificate chain).ldap_err2stringWarning: ldap_start_tls(): Unable to start TLS: Connect error in /var/tmp/ldap.php on line 7...But I expected this output instead (using 8.4.6):
...TLS certificate verification: depth: 2, err: 0, subject: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root G2, issuer: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root G2TLS certificate verification: depth: 1, err: 0, subject: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=GeoTrust TLS RSA CA G1, issuer: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root G2TLS certificate verification: depth: 0, err: 0, subject: /C=DE/ST=Nordrhein-Westfalen/L=Bonn/O=kippdata informationstechnologie GmbH/CN=*.kippdata.de, issuer: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=GeoTrust TLS RSA CA G1TLS trace: SSL_connect:SSLv3/TLS read server certificateTLS trace: SSL_connect:TLSv1.3 read server certificate verifyTLS trace: SSL_connect:SSLv3/TLS read finishedTLS trace: SSL_connect:SSLv3/TLS write change cipher specTLS trace: SSL_connect:SSLv3/TLS write client certificateTLS trace: SSL_connect:SSLv3/TLS write finished...The connection works with 8.4.7, if I add
ldap_set_option($connection, LDAP_OPT_X_TLS_CACERTFILE, "/path/to/my/ca-bundle.crt");but it fails for 8.4.6, if I use to define the bundle that way and remove it from ldaprc.
So 8.4.6 need to have it in ldaprc, 8.4.7 needs to have it set via LDAP_OPT_X_TLS_CACERTFILE.
The problem shows up when using start_tls. When I connect directly to an ldaps URL, the bundle from ldaprc is used in 8.4.6 and 8.4.7 and the connection succeeds.
I guess this is related to#17776 and commit389de7c .
PHP Version
PHP 8.4.7 (cli) (built: May 7 2025 06:16:13) (NTS)Copyright (c) The PHP GroupZend Engine v4.4.7, Copyright (c) Zend TechnologiesLDAP library OpenLDAP 2.6.9 with OpenSSL 3.4.1.Operating System
RHEL 9