[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS in 2.0.8 vs 2.0.7, openssl 0.9.6, HP-UX 11, gcc

To: openldap-software@OpenLDAP.org
Subject: Re: TLS in 2.0.8 vs 2.0.7, openssl 0.9.6, HP-UX 11, gcc
From: Allan E Johannesen <aej@WPI.EDU>
Date: Thu, 24 May 2001 15:29:46 -0400 (EDT)
In-reply-to: <15111.53927.672907.273014@hp3com2.wpi.edu>
References: <15109.7855.413119.773060@hp3com2.wpi.edu> <5.1.0.14.0.20010519132004.00af0200@127.0.0.1> <15111.53927.672907.273014@hp3com2.wpi.edu>

In continuing to look at why all openldap versions after 2.0.7 have been
failing with tls on my platform, I have started putting some debugging into
openssl.

In ssl/s3_srvr.c, if I found that the return from ssl3_check_client_hello is -1
in the failing case.  If I put the sleep in before the call, it returns 1
instead, so I continue to believe that openldap, after 2.0.7, isn't waiting
for network data to arrive in this handshake situation.

I recognize that lots of people must be using openldap with tls without
trouble, since nobody else is making noise about this, so it's something to do
with networking on this delightful HP platform that is tweaking the handshake.

Still, does anyone know what might have happened to version 2.0.8 to change its
handling of TLS in this way?  I've been experimenting with adding some
debugging output in various places in openldap but haven't found the key
location yet.  Does this circumstance lead anybody to make a guess about the
location of the problem?  Maybe someone out there has a handle on the openldap/
openssl interface and can point directly to the problem.

>From ssl/s3_srvr.c:

		case SSL3_ST_SR_CERT_A:
		case SSL3_ST_SR_CERT_B:
			/* Check for second client hello (MS SGC) */
/*                  sleep(2); ??? */
			ret = ssl3_check_client_hello(s);
                        printf("aej SSL3_ST_SR_CERT_B:ret = %d\n", ret);
			if (ret <= 0)
				goto end;

The output, with the sleep:

TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
aej SSL3_ST_SR_CERT_B:ret = 1
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read finished A
...

The output, without the sleep:

TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
aej SSL3_ST_SR_CERT_B:ret = -1
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS: can't accept.

I'd previously discovered that slapd -d-1 gave enough output out of openldap
that it slowed to the point of functioning, without this sleep hack, and I'm
leary that if I put in more debugging typeouts, the thing is going to start
working without leading me to the the problem.

Follow-Ups:
- Re: TLS in 2.0.8 vs 2.0.7, openssl 0.9.6, HP-UX 11, gcc
  - From: Allan E Johannesen <aej@WPI.EDU>

References:
- TLS in 2.0.8 vs 2.0.7, openssl 0.9.6, HP-UX 11, gcc
  - From: Allan E Johannesen <aej@WPI.EDU>
- Re: TLS in 2.0.8 vs 2.0.7, openssl 0.9.6, HP-UX 11, gcc
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: TLS in 2.0.8 vs 2.0.7, openssl 0.9.6, HP-UX 11, gcc
  - From: Allan E Johannesen <aej@WPI.EDU>

Prev by Date: Interesting TLS problem.
Next by Date: Configure failed.
Index(es):
- Chronological
- Thread