TCP Connection not closed if non SSL ldaptor LDAPServer accessed via SSL

[OzzieIsaacs]

I'm using ldaptor for testing the ldap login routines of my code. The ldaptor LDAPServer acts as server in this usecase. One of the testcases is accessing a non SSL server (ldaptor) via SSL configured client (my code).

The server reacts with a log output:

ldaptor.protocols.pureber.UnknownBERTag: BERDecoderContext has no tag 0x16: <LDAPBERDecoderContext_TopLevel identities={0x10: LDAPMessage} fallback=None inherit=<LDAPBERDecoderContext_LDAPMessage identities={0x80: LDAPControls, 0x53: LDAPSearchResultReference} fallback=<LDAPBERDecoderContext identities={0x41: LDAPBindResponse, 0x40: LDAPBindRequest, 0x42: LDAPUnbindRequest, 0x43: LDAPSearchRequest, 0x44: LDAPSearchResultEntry, 0x45: LDAPSearchResultDone, 0x53: LDAPSearchResultReference, 0x83: LDAPReferral, 0x46: LDAPModifyRequest, 0x47: LDAPModifyResponse, 0x48: LDAPAddRequest, 0x49: LDAPAddResponse, 0x4a: LDAPDelRequest, 0x4b: LDAPDelResponse, 0x57: LDAPExtendedRequest, 0x58: LDAPExtendedResponse, 0x4c: LDAPModifyDNRequest, 0x4d: LDAPModifyDNResponse, 0x50: LDAPAbandonRequest, 0x4e: LDAPCompareRequest, 0x4f: LDAPCompareResponse} fallback=<BERDecoderContext identities={0x02: BERInteger, 0x04: BEROctetString, 0x05: BERNull, 0x01: BERBoolean, 0x0a: BEREnumerated, 0x10: BERSequence, 0x11: BERSet} fallback=None inherit=None> inherit=None> inherit=<LDAPBERDecoderContext identities={0x41: LDAPBindResponse, 0x40: LDAPBindRequest, 0x42: LDAPUnbindRequest, 0x43: LDAPSearchRequest, 0x44: LDAPSearchResultEntry, 0x45: LDAPSearchResultDone, 0x53: LDAPSearchResultReference, 0x83: LDAPReferral, 0x46: LDAPModifyRequest, 0x47: LDAPModifyResponse, 0x48: LDAPAddRequest, 0x49: LDAPAddResponse, 0x4a: LDAPDelRequest, 0x4b: LDAPDelResponse, 0x57: LDAPExtendedRequest, 0x58: LDAPExtendedResponse, 0x4c: LDAPModifyDNRequest, 0x4d: LDAPModifyDNResponse, 0x50: LDAPAbandonRequest, 0x4e: LDAPCompareRequest, 0x4f: LDAPCompareResponse} fallback=<BERDecoderContext identities={0x02: BERInteger, 0x04: BEROctetString, 0x05: BERNull, 0x01: BERBoolean, 0x0a: BEREnumerated, 0x10: BERSequence, 0x11: BERSet} fallback=None inherit=None> inherit=None>>>

and the TCP connection doesn't get closed, which causes the client to never return. (This looks similar to #137).
I tried to debug the code a little bit, it hits the following line in pureber.py:
print(str(UnknownBERTag(i, context))) # TODO
If I add an line afterwards
raise UnknownBERTag(i, context)
the code closes the connection via the general exception handler with a traceback in twisted (not the best solution, but better than now).

Steps to reproduce (tested with Linux Mint 19.3 python 3.6, using ldaptor 19.1.0):

• start ldapserver.py
• On commandline start ldapsearch -H ldaps://127.0.0.1:10389 -x
• The server outputs the line and the command never returns.
  Excecuting the same command (with 'ldaps' address) on an openldap server (also configured nonSSL) it returns immediately with ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) (My hack leads to the same result).

Would be great if you could find a proper solution for this.

Thanks a lot

[shayant85]

I believe I am facing the same issue while working with an AD server with SSL. Everything works fine but keep seeing this error in the logs right after the proxy sends 'LDAPUnbindRequest':

2020-12-12 16:23:46-0500 [LoggingProxy,0,127.0.0.1] S<-C LDAPMessage(id=3, value=LDAPUnbindRequest(), controls=None)
2020-12-12 16:23:46-0500 [-] BERDecoderContext has no tag 0x8a: <LDAPBERDecoderContext_LDAPMessage identities={0x80: LDAPControls, 0x53: LDAPSearchResultReference} fallback=<LDAPBERDecoderContext identities={0x41: LDAPBindResponse, 0x40: LDAPBindRequest, 0x42: LDAPUnbindRequest, 0x43: LDAPSearchRequest, 0x44: LDAPSearchResultEntry, 0x45: LDAPSearchResultDone, 0x53: LDAPSearchResultReference, 0x83: LDAPReferral, 0x46: LDAPModifyRequest, 0x47: LDAPModifyResponse, 0x48: LDAPAddRequest, 0x49: LDAPAddResponse, 0x4a: LDAPDelRequest, 0x4b: LDAPDelResponse, 0x57: LDAPExtendedRequest, 0x58: LDAPExtendedResponse, 0x4c: LDAPModifyDNRequest, 0x4d: LDAPModifyDNResponse, 0x50: LDAPAbandonRequest, 0x4e: LDAPCompareRequest, 0x4f: LDAPCompareResponse} fallback=<BERDecoderContext identities={0x02: BERInteger, 0x04: BEROctetString, 0x05: BERNull, 0x01: BERBoolean, 0x0a: BEREnumerated, 0x10: BERSequence, 0x11: BERSet} fallback=None inherit=None> inherit=None> inherit=<LDAPBERDecoderContext identities={0x41: LDAPBindResponse, 0x40: LDAPBindRequest, 0x42: LDAPUnbindRequest, 0x43: LDAPSearchRequest, 0x44: LDAPSearchResultEntry, 0x45: LDAPSearchResultDone, 0x53: LDAPSearchResultReference, 0x83: LDAPReferral, 0x46: LDAPModifyRequest, 0x47: LDAPModifyResponse, 0x48: LDAPAddRequest, 0x49: LDAPAddResponse, 0x4a: LDAPDelRequest, 0x4b: LDAPDelResponse, 0x57: LDAPExtendedRequest, 0x58: LDAPExtendedResponse, 0x4c: LDAPModifyDNRequest, 0x4d: LDAPModifyDNResponse, 0x50: LDAPAbandonRequest, 0x4e: LDAPCompareRequest, 0x4f: LDAPCompareResponse} fallback=<BERDecoderContext identities={0x02: BERInteger, 0x04: BEROctetString, 0x05: BERNull, 0x01: BERBoolean, 0x0a: BEREnumerated, 0x10: BERSequence, 0x11: BERSet} fallback=None inherit=None> inherit=None>>
2020-12-12 16:23:46-0500 [LDAPClient (TLSMemoryBIOProtocol),client] Got unsolicited notification: LDAPExtendedResponse(resultCode=52, errorMessage='00000003: LdapErr: DSID-0C060607, comment: Error decrypting ldap message, data 0, v3839\x00')