LDAP Authenticator: unencrypted traffic with 'use_start_tls = True'

mumble-voip / mumble-scripts

Mumble scripts is a place for gathering various scripts written for the Mumble VoIP application.

https://www.mumble.info

48 stars 31 forks source link

LDAP Authenticator: unencrypted traffic with 'use_start_tls = True' #21

Open theodotos opened 5 years ago

theodotos commented 5 years ago

I've setup the LDAP authenticator with on our mumble server but checking the traffic with tcpdump I've noticed that only the first query is encrypted. Subsequent queries are unecrypted. No user pass is leaked (used in the first query) but all the user's details and the bind pass are leaked.

You can verify this with:

$ sudo tcpdump host ldap.example.com -s0 -w mumble-ldap.pcap

and read the mumble-ldap.pcap file with wireshark.

theodotos commented 5 years ago

A workaround is to use ldap_uri = ldaps://ldap.example.com and comment out use_start_tls.

Kissaki commented 5 years ago

I guess the configuration file and possible script file header should make this clear - documentation-wise.