github-starred/gitea
2
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2026-03-13 02:57:44 -05:00
Code Issues 2.6k Packages Projects Releases 100 Wiki Activity

LDAP client's STARTTLS does not support LDAP servers that require 256-bit key lengths #1377

New Issue
Closed
opened 2025-11-02 03:58:38 -06:00 by GiteaMirror · 2 comments
GiteaMirror commented 2025-11-02 03:58:38 -06:00
Owner
Copy Link

Originally created by @smkent on GitHub (Dec 17, 2017).

  • Gitea version (or commit ref): 1.3.0
  • Git version: 2.13.6
  • Operating system: Gentoo Linux
  • Database (use [x]):
    • PostgreSQL
    • MySQL
    • MSSQL
    • SQLite
  • Can you reproduce the bug at https://try.gitea.io:
    • Yes (provide example URL)
    • No
    • Not relevant
  • Log gist:

Description

I installed Gitea on my server and tried to connect it to my local OpenLDAP server, which requires STARTTLS with a security factor (ssf) of 256. Gitea's LDAP client does not enable the strongest TLS ciphers, and can only connect to OpenLDAP servers that allow a security factor (ssf) of 128 or lower. (OpenLDAP's ssf refers to the client's key size.)

I fixed this locally by applying the following patch while building Gitea:

diff -Naur gitea-1.3.0/modules/auth/ldap/ldap.go gitea-1.3.0-patched/modules/auth/ldap/ldap.go
--- src/code.gitea.io/gitea/modules/auth/ldap/ldap.go   2017-11-29 06:51:47.000000000 -0800
+++ src/code.gitea.io/gitea/modules/auth/ldap/ldap.go   2017-12-11 15:25:02.722116453 -0800
@@ -125,8 +125,17 @@
        log.Trace("Dialing LDAP with security protocol (%v) without verifying: %v", ls.SecurityProtocol, ls.SkipVerify)

        tlsCfg := &tls.Config{
-               ServerName:         ls.Host,
-               InsecureSkipVerify: ls.SkipVerify,
+               ServerName:               ls.Host,
+               InsecureSkipVerify:       ls.SkipVerify,
+               MinVersion:               tls.VersionTLS12,
+               CurvePreferences:         []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256},
+               PreferServerCipherSuites: true,
+               CipherSuites: []uint16{
+                       tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+                       tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+                       tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
+                       tls.TLS_RSA_WITH_AES_256_CBC_SHA,
+               },
        }
        if ls.SecurityProtocol == SecurityProtocolLDAPS {
                return ldap.DialTLS("tcp", fmt.Sprintf("%s:%d", ls.Host, ls.Port), tlsCfg)

I do not know what the proper solution is for upstream, but it would be nice if these ciphers were enabled in the LDAP client.

Originally created by @smkent on GitHub (Dec 17, 2017). <!-- 1. Please speak English, this is the language all of us can speak and write. 2. Please ask questions or configuration/deploy problems on our Discord server (https://discord.gg/NsatcWJ) or forum (https://discourse.gitea.io). 3. Please take a moment to check that your issue doesn't already exist. 4. Please give all relevant information below for bug reports, because incomplete details will be handled as an invalid report. --> - Gitea version (or commit ref): 1.3.0 - Git version: 2.13.6 - Operating system: Gentoo Linux - Database (use `[x]`): - [ ] PostgreSQL - [x] MySQL - [ ] MSSQL - [ ] SQLite - Can you reproduce the bug at https://try.gitea.io: - [ ] Yes (provide example URL) - [ ] No - [x] Not relevant - Log gist: ## Description I installed Gitea on my server and tried to connect it to my local OpenLDAP server, which requires STARTTLS with a security factor (`ssf`) of 256. Gitea's LDAP client does not enable the strongest TLS ciphers, and can only connect to OpenLDAP servers that allow a security factor (`ssf`) of 128 or lower. (OpenLDAP's `ssf` refers to the client's key size.) I fixed this locally by applying the following patch while building Gitea: ``` diff -Naur gitea-1.3.0/modules/auth/ldap/ldap.go gitea-1.3.0-patched/modules/auth/ldap/ldap.go --- src/code.gitea.io/gitea/modules/auth/ldap/ldap.go 2017-11-29 06:51:47.000000000 -0800 +++ src/code.gitea.io/gitea/modules/auth/ldap/ldap.go 2017-12-11 15:25:02.722116453 -0800 @@ -125,8 +125,17 @@ log.Trace("Dialing LDAP with security protocol (%v) without verifying: %v", ls.SecurityProtocol, ls.SkipVerify) tlsCfg := &tls.Config{ - ServerName: ls.Host, - InsecureSkipVerify: ls.SkipVerify, + ServerName: ls.Host, + InsecureSkipVerify: ls.SkipVerify, + MinVersion: tls.VersionTLS12, + CurvePreferences: []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256}, + PreferServerCipherSuites: true, + CipherSuites: []uint16{ + tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, + tls.TLS_RSA_WITH_AES_256_GCM_SHA384, + tls.TLS_RSA_WITH_AES_256_CBC_SHA, + }, } if ls.SecurityProtocol == SecurityProtocolLDAPS { return ldap.DialTLS("tcp", fmt.Sprintf("%s:%d", ls.Host, ls.Port), tlsCfg) ``` I do not know what the proper solution is for upstream, but it would be nice if these ciphers were enabled in the LDAP client.
GiteaMirror added the type/enhancementissue/stale labels 2025-11-02 03:58:38 -06:00
GiteaMirror commented 2025-11-02 03:58:39 -06:00
Author
Owner
Copy Link

@stale[bot] commented on GitHub (Feb 10, 2019):

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 weeks. Thank you for your contributions.

@stale[bot] commented on GitHub (Feb 10, 2019): This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 weeks. Thank you for your contributions.
GiteaMirror commented 2025-11-02 03:58:39 -06:00
Author
Owner
Copy Link

@stale[bot] commented on GitHub (Feb 24, 2019):

This issue has been automatically closed because of inactivity. You can re-open it if needed.

@stale[bot] commented on GitHub (Feb 24, 2019): This issue has been automatically closed because of inactivity. You can re-open it if needed.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
$20
$250
$50
$500
backport/done
💎 Bounty
docs-update-needed
good first issue
hacktoberfest
issue/bounty
issue/confirmed
issue/critical
issue/duplicate
issue/needs-feedback
issue/not-a-bug
issue/regression
issue/stale
issue/workaround
lgtm/need 2
modifies/api
modifies/translation
outdated/backport/v1.18
outdated/theme/markdown
outdated/theme/timetracker
performance/bigrepo
performance/cpu
performance/memory
performance/speed
pr/breaking
proposal/accepted
proposal/rejected
pr/wip
pull-request
Mirrored from GitHub Pull Request
 reviewed/wontfix
💰 Rewarded
skip-changelog
status/blocked
topic/accessibility
topic/api
topic/authentication
topic/build
topic/code-linting
topic/commit-signing
topic/content-rendering
topic/deployment
topic/distribution
topic/federation
topic/gitea-actions
topic/issues
topic/lfs
topic/mobile
topic/moderation
topic/packages
topic/pr
topic/projects
topic/repo
topic/repo-migration
topic/security
topic/theme
topic/ui
topic/ui-interaction
topic/ux
topic/webhooks
topic/wiki
type/bug
type/deprecation
type/docs
type/enhancement
type/feature
type/miscellaneous
type/proposal
type/question
type/refactoring
type/summary
type/testing
type/upstream
No Label issue/stale type/enhancement
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/gitea#1377
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?