[Date Prev][Date Next] [Chronological] [Thread] [Top]
Session Ressumption problems with JSSE-OpenLDAP

To: <gary@cafesoft.com>, <sto@isoco.com>
Subject: Session Ressumption problems with JSSE-OpenLDAP
From: "Cameron Morris" <CMorris@novell.com>
Date: Thu, 10 Jan 2002 09:17:06 -0700
Cc: <openldap-devel@OpenLDAP.org>
Content-disposition: inline
Below is a dialog posted on the Software list. Gary and 
Sergio found a problem running SSL between JSSE and OpenLDAP.

Here are the symptoms:
- JSSE app hangs on the second, or third SSL connection to OpenLDAP
  (Using either Java LDAP API or JNDI)
- JSSE app does not hang against Novell or iPlanet.
- Both TLS and SSLv3 hangs.
- Setting the -Djavax.net.debug="all" flag mysteriously fixes
everything.
    (This is not a viable workaround because the flag causes Sun's JSSE

    to output everything, this degrades performance could be a security

    problem.)

I submitted a bug to Sun and I haven't heard back yet.  Sergio found a

workaround by invalidating the session for further use after the
connection 
is used - I'd suggest doing the same immediately after connection is
made.  

I'm very hesitant to check in a fix like that because 1) The bug is in
JSSE 
or OpenSSL and the fix in JLDAP would temporary; and 2) The workaround

would make the Java LDAP much slower for SSL.  

Have any of you found other symptoms like this with OpenSSL?  Does 
OpenLDAP set no caching of sessions?  I assume that this must be
working 
in C.  And finally, has anyone tried a JSSE provider other than Sun's?

Cameron

>>> "Cameron Morris" <CMorris@novell.com> 12/13/01 02:57PM >>>
The SSLSession stores enough information to connect to servers it has 
already connected to previously.  There is a simplified handshake
designed 
for this purpose, called Session resumption.  If a client sends a
hello
with a 
session-ID from a previous session.  The server can chose to resume
the

previous session or start a new one.  So either the server is choking
on the 
resume request or JSSE could be choking on the denial.  (Since the
debug 
flag fixes the problem I'd guess the problem is with JSSE.
 
I ran a test to see if the problem is JSSE.  In a loop I connect and
re-connect 
- just like Gary's code does.   I put a Sytem.in.read to pause the
code
after 
each re-connect.  Then I downed eDirectory and brought it up again to 
destroy any cached session keys.  Then I continued the program - it
was

able to recover the fact that the session was no longer valid on the
server.  
So I'd guess the problem is in the OpenLDAP server or in OpenSSL.  A 
sniffer trace showing the handshake would be definitely help.
 
I'm interested in the out come of this thing so if you find something
please let 
me know.
 
Thanks,
Cameron
 
 
Cameron Morris
Software Engineer, Directory Services
Novell, Inc.,  The leading provider of Net services software

>>> Sergio Talens-Oliag < sto@isoco.com > 12/13/01 05:49AM >>> 
El Wed, Dec 12, 2001 at 01:20:46PM -0800, Gary Gwin escribió: 
> I've tested Jldap and JNDI using SSL against OpenLdap and both hang
upon 
> attempting a second connection/bind operation (e.g. SSL is setup
correctly for 
> at least one successful operation). I'm using RedHat Linux 7.1,
OpenLdap 2.0.11 
> and 2.0.18, and OpenSSL 9.6. I've also tried compiling the test
programs with 
> both JDK 1.3.1 (with JSSE 1.0.2) and JDK 1.4 beta 3 (which includes
JSSE), with 
> no difference. In all cases, the same test programs work fine over
non-SSL 
> connections. The JNDI program is included below. Also, if you
startup
the test 
> program with the -Djavax.net.debug="all" flag, it mysteriously
works.

> 
> I've also successfully tested (with the help of Novell), the same
Jldap and JNDI 
> test programs with SSL against Novell eDirectory 8.5 (NetWare 5.1)
and iPlant 
> 5.1 on NT 4.0. 
> 
> It appears that the problem is with OpenSSL/OpenLdap on RedHat Linux
7.1. Does 
> anyone know of any configuration issues or known bugs that might
cause such a 
> problem? 

Yes, we've had similar problems and it seems that the problem is in 
the way the JSSE handles the SSLSession, we've solved it modifying the

file jldap/com/novell/ldap/client/Connection.java to invalidate the 
session when the secure socket is closed. 

The cvs diff output is: 

--- 
Index: jldap/com/novell/ldap/client/Connection.java 
=================================================================== 
RCS file:
/repo/OpenLDAP/pkg/jldap/com/novell/ldap/client/Connection.java,v 
retrieving revision 1.61 
diff -u -r1.61 Connection.java 
--- client/Connection.java2001/12/07 22:56:031.61 
+++ client/Connection.java2001/12/13 12:46:30 
@@ -20,6 +20,8 @@ 
import java.io.OutputStream; 
import java.io.BufferedInputStream; 
import java.net.Socket; 
+import javax.net.ssl.SSLSocket; 
+import javax.net.ssl.SSLSession; 

import com.novell.ldap.*; 
import com.novell.ldap.rfc2251.*; 
@@ -455,7 +457,6 @@ 
ExceptionMessages.CONNECTION_FINALIZED), 
new Object[] { host, new Integer(port)}, 
LDAPException.CONNECT_ERROR, null, null); 
- 
// Destroy old connection 
shutdown("destroy clone", 0, notify); 
} else { 
@@ -746,8 +747,12 @@ 
in = null; 
out = null; 
if( socket != null) { 
- // Close the socket 
+ // Close the SSLSession and the socket 
try { 
+ if(socket instanceof SSLSocket) { 
+ SSLSession ses = ((SSLSocket)socket).getSession(); 
+ ses.invalidate(); 
+ } 
socket.close(); 
} catch(java.io.IOException ie) { 
// ignore problem closing socket 
--- 

-- 
Sergio Talens-Oliag ................ Intelligent Software Components
S.A. 
_ _ _ _ 
Edificio Trade Center Telf: +34 96 3467143 @ |_ | || | | 
c/. Profesor Beltrán Báguena, 4 mailto:sto@isoco.com | _||_||_ |_| 
46009 Valencia (Spain) http://www.isoco.com ..............
Prev by Date: Re: LDAPv2 -> LDAPv3 in slapd and client API
Next by Date: Sorting, paging, listing?
Index(es):
- Chronological
- Thread