[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLdap Fails with JNDI/SSL Connects



El Wed, Dec 12, 2001 at 01:20:46PM -0800, Gary Gwin escribió:
> I've tested Jldap and JNDI using SSL against OpenLdap and both hang upon
> attempting a second connection/bind operation (e.g. SSL is setup correctly for
> at least one successful operation). I'm using RedHat Linux 7.1, OpenLdap 2.0.11
> and 2.0.18, and OpenSSL 9.6. I've also tried compiling the test programs with
> both JDK 1.3.1 (with JSSE 1.0.2) and JDK 1.4 beta 3 (which includes JSSE), with
> no difference. In all cases, the same test programs work fine over non-SSL
> connections. The JNDI program is included below. Also, if you startup the test
> program with the -Djavax.net.debug="all" flag, it mysteriously works.
> 
> I've also successfully tested (with the help of Novell), the same Jldap and JNDI
> test programs with SSL against Novell eDirectory 8.5 (NetWare 5.1) and iPlant
> 5.1 on NT 4.0.
> 
> It appears that the problem is with OpenSSL/OpenLdap on RedHat Linux 7.1. Does
> anyone know of any configuration issues or known bugs that might cause such a
> problem?

  Yes, we've had similar problems and it seems that the problem is in
  the way the JSSE handles the SSLSession, we've solved it modifying the
  file jldap/com/novell/ldap/client/Connection.java to invalidate the
  session when the secure socket is closed.
  
  The cvs diff output is:
  
---
Index: jldap/com/novell/ldap/client/Connection.java
===================================================================
RCS file: /repo/OpenLDAP/pkg/jldap/com/novell/ldap/client/Connection.java,v
retrieving revision 1.61
diff -u -r1.61 Connection.java
--- client/Connection.java	2001/12/07 22:56:03	1.61
+++ client/Connection.java	2001/12/13 12:46:30
@@ -20,6 +20,8 @@
 import java.io.OutputStream;
 import java.io.BufferedInputStream;
 import java.net.Socket;
+import javax.net.ssl.SSLSocket;
+import javax.net.ssl.SSLSession;
 
 import com.novell.ldap.*;
 import com.novell.ldap.rfc2251.*;
@@ -455,7 +457,6 @@
                            ExceptionMessages.CONNECTION_FINALIZED),
                            new Object[] { host, new Integer(port)},
                            LDAPException.CONNECT_ERROR, null, null);
-
                 // Destroy old connection
                 shutdown("destroy clone", 0, notify);
             } else {
@@ -746,8 +747,12 @@
         in = null;
         out = null;
         if( socket != null) {
-            // Close the socket
+            // Close the SSLSession and the socket
             try {
+                if(socket instanceof SSLSocket) {
+                  SSLSession ses = ((SSLSocket)socket).getSession();
+                  ses.invalidate();
+                }
                 socket.close();
             } catch(java.io.IOException ie) {
                 // ignore problem closing socket
---

-- 
Sergio Talens-Oliag ................ Intelligent Software Components S.A.
                                                              _  _  _  _ 
Edificio Trade Center                Telf: +34 96 3467143  @ |_ | ||  | |
c/. Profesor Beltrán Báguena, 4      mailto:sto@isoco.com  |  _||_||_ |_|
46009 Valencia (Spain)               http://www.isoco.com  ..............