[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#6246) SSL fails over a network unless slapd runs with -d 2

To: openldap-its@OpenLDAP.org
Subject: (ITS#6246) SSL fails over a network unless slapd runs with -d 2
From: Ed@vanGasteren.net
Date: Mon, 10 Aug 2009 19:08:19 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

Full_Name: Ed van Gasteren
Version: 2.4.12 and 2.4.15
OS: linux (Fedora 10, 11)
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (85.223.76.221)


On system lt2 (up to date Fedora 10) I run openldap (2.4.12) server and clients.
The configuration is such that things work as expected even with security
tightened up to "TLSVerifyClient demand". ldapsearch (either to -H ldaps or with
-ZZ), nss and gq with TLS work like a charm.

On system lt1 (up to date Fedora 11) I run openldap clients (2.4.15), gq and
Thunderbird connecting to the server on lt2. TLS/SSL only works if I run slapd
with "-d 2". If I run slapd without it then ldapsearch hangs on "TLS trace:
SSL_connect:SSLv3 read server certificate A".

Seems as if the normal code path has a flaw which gets corrected/bypassed by the
debugging code.

What puzzels me is that I find few references (google) to these kind of problems
as if nobody uses it this way.

- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=412706 There they blame it on
GnuTLS. Here the symptoms are similar but GnuTLS is not in the picture.
- I have searched the openldap Mailing Lists archives for "ssl;client;server;-d
2". That gives a few hits with very similar problems but the threads provide no
solution.

I can provide loads of additional detail about my configuration and debug output
of the server and the ldapsearch client but I prefer to get some pointers about
what to test, look for or provide.

Prev by Date: RE: (ITS#6234) CONFIGURABLE TCP BUFFERS IN SLAPD FEATURE REQUEST
Next by Date: (ITS#6247) slapd-modules/now: New matching rules that enable comparisone slapd's current server time against timestamp attributes
Index(es):
- Chronological
- Thread