[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#6246) SSL fails over a network unless slapd runs with -d 2
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#6246) SSL fails over a network unless slapd runs with -d 2
- From: hyc@symas.com
- Date: Tue, 11 Aug 2009 02:45:13 GMT
- Auto-submitted: auto-generated (OpenLDAP-ITS)
Ed@vanGasteren.net wrote:
> Full_Name: Ed van Gasteren
> Version: 2.4.12 and 2.4.15
> OS: linux (Fedora 10, 11)
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (85.223.76.221)
>
>
> On system lt2 (up to date Fedora 10) I run openldap (2.4.12) server and clients.
> The configuration is such that things work as expected even with security
> tightened up to "TLSVerifyClient demand". ldapsearch (either to -H ldaps or with
> -ZZ), nss and gq with TLS work like a charm.
>
> On system lt1 (up to date Fedora 11) I run openldap clients (2.4.15), gq and
> Thunderbird connecting to the server on lt2. TLS/SSL only works if I run slapd
> with "-d 2". If I run slapd without it then ldapsearch hangs on "TLS trace:
> SSL_connect:SSLv3 read server certificate A".
>
> Seems as if the normal code path has a flaw which gets corrected/bypassed by the
> debugging code.
Doesn't sound familiar, I've never had this problem. However, the TLS code was
refactored in rev 2.4.14, and it's always possible we missed something in the
churn. How does openssl s_client react under the same conditions? If it hangs
the same way, then that points to a bug on the server, and the answer is just
to upgrade since .12 is rather out of date now. If s_client works, then we
probably have to look at our client code.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/