[Pki-users] Possible PKI LDAP connections leak?
Endi Sukma Dewata
edewata at redhat.com
Wed Sep 2 19:33:09 UTC 2015
Hi,
Thanks for reporting this. I think it is a problem and I was able to
reproduce it. I have filed a ticket for this issue:
https://fedorahosted.org/pki/ticket/1601
Thanks again!
--
Endi S. Dewata
On 8/28/2015 2:21 PM, Aleksey Chudov wrote:
> To clarify it is possible to DOS the Certificate System repeatedly
> calling /ca/rest/securityDomain/domainInfo url until Direcrory Server
> exhausts all available connections.
>
>
> $ rpm -qa 389* pki* | sort
> 389-ds-base-1.3.3.1-20.el7_1.x86_64
> 389-ds-base-libs-1.3.3.1-20.el7_1.x86_64
> pki-base-10.2.6-7.el7.centos.noarch
> pki-ca-10.2.6-7.el7.centos.noarch
> pki-server-10.2.6-7.el7.centos.noarch
> pki-tools-10.2.6-7.el7.centos.x86_64
>
>
> On Thu, Aug 27, 2015 at 6:15 PM, Aleksey Chudov
> <aleksey.chudov at gmail.com <mailto:aleksey.chudov at gmail.com>> wrote:
>
> Hi,
>
> I have found possible PKI LDAP connections leak on access to
> /ca/rest/securityDomain/domainInfo url.
>
> To reproduce
>
> # ss -ant state established sport = :636
> Recv-Q Send-Q Local Address:Port Peer Address:Port
> 0 0 10.172.3.13:636 <http://10.172.3.13:636> 10.172.3.13:57696
> <http://10.172.3.13:57696>
> 0 0 10.172.3.13:636 <http://10.172.3.13:636> 10.172.3.13:57692
> <http://10.172.3.13:57692>
> 0 0 10.172.3.13:636 <http://10.172.3.13:636> 10.172.3.13:57695
> <http://10.172.3.13:57695>
> 0 0 10.172.3.13:636 <http://10.172.3.13:636> 10.172.3.13:57690
> <http://10.172.3.13:57690>
> 0 0 10.172.3.13:636 <http://10.172.3.13:636> 10.172.3.13:57689
> <http://10.172.3.13:57689>
> 0 0 10.172.3.13:636 <http://10.172.3.13:636> 10.172.3.13:57693
> <http://10.172.3.13:57693>
> 0 0 10.172.3.13:636 <http://10.172.3.13:636> 10.172.3.13:57688
> <http://10.172.3.13:57688>
> 0 0 10.172.3.13:636 <http://10.172.3.13:636> 10.172.3.13:57691
> <http://10.172.3.13:57691>
> 0 0 10.172.3.13:636 <http://10.172.3.13:636> 10.172.3.13:57687
> <http://10.172.3.13:57687>
>
> # ss -ant state established sport = :636 | wc -l
> 10
>
> # for ((i=0; i<256; i++)); do curl
> http://localhost/ca/rest/securityDomain/domainInfo &>/dev/null; done
>
> # ss -ant state established sport = :636 | wc -l
> 266
>
> Every request to /ca/rest/securityDomain/domainInfo url increases
> number on LDAP connections and produces the same message in debug log
>
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SessionContextInterceptor: Not authenticated.
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> AuthMethodInterceptor: SecurityDomainResource.getDomainInfo()
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> AuthMethodInterceptor: mapping: default
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> AuthMethodInterceptor: required auth methods: [*]
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> AuthMethodInterceptor: anonymous access allowed
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> ACLInterceptor: SecurityDomainResource.getDomainInfo()
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> ACLInterceptor.filter: no authorization required
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> ACLInterceptor: No ACL mapping; authz not required.
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SignedAuditEventFactory: create()
> message=[AuditEvent=AUTHZ_SUCCESS][SubjectID=$Unidentified$][Outcome=Success][aclResource=null][Op=null][Info=ACL
> mapping not found; OK:SecurityDomainResource.getDomainInfo]
> authorization success
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> MessageFormatInterceptor: SecurityDomainResource.getDomainInfo()
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> MessageFormatInterceptor: content-type: null
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> MessageFormatInterceptor: accept: [*/*]
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> MessageFormatInterceptor: response format: application/xml
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: according to
> ccMode, authorization for servlet: securitydomain is LDAP based, not
> XML {1}, use default authz mgr: {2}.
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: Creating
> LdapBoundConnFactor(SecurityDomainProcessor)
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> LdapBoundConnFactory: init
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> LdapBoundConnFactory:doCloning true
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo:
> init()
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo:
> init begins
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo:
> init: prompt is internaldb
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo:
> init: try getting from memory cache
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo:
> init: got password from memory
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo:
> init: password found for prompt.
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo:
> password ok: store in memory cache
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo:
> init ends
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: init: before
> makeConnection errorIfDown is false
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> makeConnection: errorIfDown false
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SSL handshake
> happened
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: Established
> LDAP connection using basic authentication to host
> srv334.example.com <http://srv334.example.com> port 636 as
> cn=Directory Manager
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: initializing
> with mininum 3 and maximum 15 connections to host srv334.example.com
> <http://srv334.example.com> port 636, secure connection, true,
> authentication type 1
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: increasing
> minimum connections by 3
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: new total
> available connections 3
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: new number of
> connections 3
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: In
> LdapBoundConnFactory::getConn()
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: masterConn is
> connected: true
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: getConn: conn
> is connected true
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: getConn:
> mNumConns now 2
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: name: Company LLC
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: subtype: CA
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: - cn=srv333.example.com:8443
> <http://srv333.example.com:8443>,cn=CAList,ou=Security
> Domain,o=pki-tomcat-CA
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: - DomainManager: TRUE
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: - cn: srv333.example.com:8443
> <http://srv333.example.com:8443>
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: - SubsystemName: CA srv333.example.com
> <http://srv333.example.com> 8443
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: - Clone: FALSE
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: - UnSecurePort: 8080
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: - SecureEEClientAuthPort: 8443
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: - SecureAdminPort: 8443
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: - SecureAgentPort: 8443
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: - SecurePort: 8443
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: - host: srv333.example.com
> <http://srv333.example.com>
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: - objectClass: top
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: - cn=srv334.example.com:8443
> <http://srv334.example.com:8443>,cn=CAList,ou=Security
> Domain,o=pki-tomcat-CA
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: - objectClass: top
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: - cn: srv334.example.com:8443
> <http://srv334.example.com:8443>
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: - host: srv334.example.com
> <http://srv334.example.com>
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: - SecurePort: 8443
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: - SecureAgentPort: 8443
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: - SecureAdminPort: 8443
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: - UnSecurePort: 8080
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: - SecureEEClientAuthPort: 8443
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: - DomainManager: TRUE
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: - Clone: TRUE
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: - SubsystemName: CA srv334.example.com
> <http://srv334.example.com> 8443
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: - cn=srv335.example.com:8443
> <http://srv335.example.com:8443>,cn=CAList,ou=Security
> Domain,o=pki-tomcat-CA
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: - objectClass: top
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: - cn: srv335.example.com:8443
> <http://srv335.example.com:8443>
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: - host: srv335.example.com
> <http://srv335.example.com>
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: - SecurePort: 8443
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: - SecureAgentPort: 8443
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: - SecureAdminPort: 8443
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: - UnSecurePort: 8080
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: - SecureEEClientAuthPort: 8443
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: - DomainManager: TRUE
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: - Clone: TRUE
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: - SubsystemName: CA srv335.example.com
> <http://srv335.example.com> 8443
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: subtype: OCSP
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: subtype: KRA
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: subtype: RA
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: subtype: TKS
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: subtype: TPS
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: Releasing
> ldap connection
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: returnConn:
> mNumConns now 3
>
>
> At the same time requests to different urls does not increase the
> number of established LDAP connections.
>
> Is it a bug or expected behavior?
>
> Aleksey
>
>
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>
More information about the Pki-users
mailing list