Re: (ITS#6246) SSL fails over a network unless slapd runs with -d 2

[Ed@vanGasteren.net]

On 08/11/2009 01:05 PM, E.M. van Gasteren wrote:
>
>
> On 08/11/2009 04:44 AM, Howard Chu wrote:
>> Ed@vanGasteren.net wrote:
>>> Full_Name: Ed van Gasteren
>>> Version: 2.4.12 and 2.4.15
>>> OS: linux (Fedora 10, 11)
>>> URL: ftp://ftp.openldap.org/incoming/
>>> Submission from: (NULL) (85.223.76.221)
>>>
>>>
>>> On system lt2 (up to date Fedora 10) I run openldap (2.4.12) server
>>> and clients.
>>> The configuration is such that things work as expected even with
>>> security
>>> tightened up to "TLSVerifyClient demand". ldapsearch (either to -H
>>> ldaps or with
>>> -ZZ), nss and gq with TLS work like a charm.
>>>
>>> On system lt1 (up to date Fedora 11) I run openldap clients (2.4.15),
>>> gq and
>>> Thunderbird connecting to the server on lt2. TLS/SSL only works if I
>>> run slapd
>>> with "-d 2". If I run slapd without it then ldapsearch hangs on "TLS
>>> trace:
>>> SSL_connect:SSLv3 read server certificate A".
>>>
>>> Seems as if the normal code path has a flaw which gets
>>> corrected/bypassed by the
>>> debugging code.
>>
>> Doesn't sound familiar, I've never had this problem. However, the TLS
>> code was refactored in rev 2.4.14, and it's always possible we missed
>> something in the churn. How does openssl s_client react under the same
>> conditions? If it hangs the same way, then that points to a bug on the
>
> Should have mentioned that. It indeed hangs the same way, in the middle
> of getting over the "Acceptable client certificate CA names".

-- cut --

>> server, and the answer is just to upgrade since .12 is rather out of
>
> Hm! I'll see if I can get the 2.4.15 openldap stuff from Fedora 11
> repo's running on lt2 first.

I ran into serious problems with lt2 and had to rebuild it. I took the 
opportunity to use Fedora 11 with openldap 2.4.15. That seems to have 
solved the problem.