[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#6304) Slapd freezes during SSL handshake when TLSVerifyClient=allow
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#6304) Slapd freezes during SSL handshake when TLSVerifyClient=allow
- From: hyc@symas.com
- Date: Sun, 15 Nov 2009 21:43:42 GMT
- Auto-submitted: auto-generated (OpenLDAP-ITS)
Jan Zelený wrote:
> Dne Ä?tvrtek 24 záÅ?à 2009 22:19:40 Howard Chu napsal(a):
>> jzeleny@redhat.com wrote:
>>> Full_Name: Jan Zeleny
>>> Version: 2.4.18
>>> OS: Fedora 11
>>> URL: ftp://ftp.openldap.org/incoming/
>>> Submission from: (NULL) (62.40.79.66)
>>>
>> I'm unable to reproduce this using slapd on a debian x86-64 system, whether
>> on the local LAN or from 13 hops away. I've also used the tcp-buffer
>> option to set a minimum sized socket buffer and still could not duplicate
>> the problem. You will need to provide more explicit information on how to
>> reproduce this issue. Perhaps providing a set of CA/server certs will also
>> be necessary.
> I'm not sure I have much more explicit information for you. I'm sending
> certificate in attachment. It's a self signed testing certificate I generated on
> my system. I'm also sending you slapd.conf with relevant information and CA
> bundle file. If you need anything else, just let me know.
>
> Just for complete information:
> I tried slapd on Fedora 12 and RHEL 5.3 (x86_64) and on Ubuntu 9.04 (i386). On
> each system I used different self signed certificate. In both cases attached
> slapd.conf file was used. To reproduce error, I just started the slapd service
> (slapd -h 'ldaps:///' -u ldap) with given config file and connected to it. When
> I tried to connect with openssl s_client -connect fedora12-64, I received this
> output (and then freeze):
>
> CONNECTED(00000003)
> depth=0 /C=CZ/ST=Moravia/L=Brno/O=Red Hat Czech
> s.r.o./OU=Engineering/CN=fedora12-64/emailAddress=jzeleny@redhat.com
> verify error:num=18:self signed certificate
> verify return:1
> depth=0 /C=CZ/ST=Moravia/L=Brno/O=Red Hat Czech
> s.r.o./OU=Engineering/CN=fedora12-64/emailAddress=jzeleny@redhat.com
> verify return:1
>
>
>> Please note that the bug report you reference (509230) gives inconsistent
>> information; it says that no hang occurs with -d2, but that hangs occur
>> with no diagnostics, even with -d -1. Obviously -d -1 includes -d 2, so:
>> does it hang, or not, with -d -1?
>
> I believe what is stated there is that hangs don't occur with -d2, but they do
> with -d1 (not -d -1). I can also confirm this behaviour, that with -d1 hangs
> occur, but with -d2 they don't. (or at least I didn't encounter them during my
> testing).
>
> Hopefully I provided some useful information.
Thanks, that helped, a fix is now in CVS HEAD.
I should point out that the configuration used to reproduce this problem is
quite a poor one. As the OpenLDAP Admin Guide clearly states, your server
should only be configured with the CA certs for which it will accept client
certs. Your ca-bundle.crt file is 670KB and loaded with a lot of CAs that are
irrelevant; it's when slapd sends the client its list of acceptable CAs that
the connection was getting jammed.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/