[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#4583) TLS concurrency issues

To: openldap-its@OpenLDAP.org
Subject: (ITS#4583) TLS concurrency issues
From: hyc@OpenLDAP.org
Date: Thu, 8 Jun 2006 17:18:16 GMT

Full_Name: Howard Chu
Version: 2.3/HEAD
OS: RHEL4
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (24.126.120.178)
Submitted by: hyc


Using OpenSSL 0.9.7 (various releases up to 0.9.7j) we seem to be getting
crashes in slapd from simultaneous calls to tls_accept. Adding a mutex around
this call seems to fix the problem. It's a bit puzzling since the OpenSSL
library already does its own locking for protecting its shared data structures.
I haven't verified whether a similar problem exists for the client side
tls_connect calls.

The actual crash is very rare, more commonly the client's connect attempt will
just fail with 

ldap_sasl_bind_s: Can't contact LDAP server (-1) error:140943FC:SSL
routines:SSL3_READ_BYTES:sslv3 alert bad record mac

This appears to be a common problem in OpenSSL 0.9.7
http://www.redhat.com/archives/rhl-list/2005-May/msg01506.html

I haven't checked to see if it still occurs in 0.9.8, and it does not appear to
have been a problem in 0.9.6.

Prev by Date: (ITS#4582) syncrepl consumer plows ahead without failing when rootdn isn't defined
Next by Date: Re: (ITS#4583) TLS concurrency issues
Index(es):
- Chronological
- Thread