|
The SSLSession stores enough information to connect to servers it has
already connected to previously. There is a simplified handshake
designed
for this purpose, called Session resumption. If a client sends a
hello with a
session-ID from a previous session. The server can chose to resume
the
previous session or start a new one. So either the server is
choking on the
resume request or JSSE could be choking on the denial. (Since the
debug
flag fixes the problem I'd guess the problem is with JSSE.
I ran a test to see if the problem is JSSE. In a loop I connect and
re-connect
- just like Gary's code does. I put a Sytem.in.read to pause
the code after
each re-connect. Then I downed eDirectory and brought it up again to
destroy any cached session keys. Then I continued the program - it
was
able to recover the fact that the session was no longer valid on the
server.
So I'd guess the problem is in the OpenLDAP server or in OpenSSL. A
sniffer trace showing the handshake would be definitely help.
I'm interested in the out come of this thing so if you find something
please let
me know.
Thanks,
Cameron
Cameron Morris
Software Engineer, Directory Services Novell, Inc., The leading provider of Net services software >>> Sergio Talens-Oliag < sto@isoco.com > 12/13/01 05:49AM >>> El Wed, Dec 12, 2001 at 01:20:46PM -0800, Gary Gwin escribió: > I've tested Jldap and JNDI using SSL against OpenLdap and both hang upon > attempting a second connection/bind operation (e.g. SSL is setup correctly for > at least one successful operation). I'm using RedHat Linux 7.1, OpenLdap 2.0.11 > and 2.0.18, and OpenSSL 9.6. I've also tried compiling the test programs with > both JDK 1.3.1 (with JSSE 1.0.2) and JDK 1.4 beta 3 (which includes JSSE), with > no difference. In all cases, the same test programs work fine over non-SSL > connections. The JNDI program is included below. Also, if you startup the test > program with the -Djavax.net.debug="all" flag, it mysteriously works. > > I've also successfully tested (with the help of Novell), the same Jldap and JNDI > test programs with SSL against Novell eDirectory 8.5 (NetWare 5.1) and iPlant > 5.1 on NT 4.0. > > It appears that the problem is with OpenSSL/OpenLdap on RedHat Linux 7.1. Does > anyone know of any configuration issues or known bugs that might cause such a > problem? Yes, we've had similar problems and it seems that the problem is in the way the JSSE handles the SSLSession, we've solved it modifying the file jldap/com/novell/ldap/client/Connection.java to invalidate the session when the secure socket is closed. The cvs diff output is: --- Index: jldap/com/novell/ldap/client/Connection.java =================================================================== RCS file: /repo/OpenLDAP/pkg/jldap/com/novell/ldap/client/Connection.java,v retrieving revision 1.61 diff -u -r1.61 Connection.java --- client/Connection.java2001/12/07 22:56:031.61 +++ client/Connection.java2001/12/13 12:46:30 @@ -20,6 +20,8 @@ import java.io.OutputStream; import java.io.BufferedInputStream; import java.net.Socket; +import javax.net.ssl.SSLSocket; +import javax.net.ssl.SSLSession; import com.novell.ldap.*; import com.novell.ldap.rfc2251.*; @@ -455,7 +457,6 @@ ExceptionMessages.CONNECTION_FINALIZED), new Object[] { host, new Integer(port)}, LDAPException.CONNECT_ERROR, null, null); - // Destroy old connection shutdown("destroy clone", 0, notify); } else { @@ -746,8 +747,12 @@ in = null; out = null; if( socket != null) { - // Close the socket + // Close the SSLSession and the socket try { + if(socket instanceof SSLSocket) { + SSLSession ses = ((SSLSocket)socket).getSession(); + ses.invalidate(); + } socket.close(); } catch(java.io.IOException ie) { // ignore problem closing socket --- -- Sergio Talens-Oliag ................ Intelligent Software Components S.A. _ _ _ _ Edificio Trade Center Telf: +34 96 3467143 @ |_ | || | | c/. Profesor Beltrán Báguena, 4 mailto:sto@isoco.com | _||_||_ |_| 46009 Valencia (Spain) http://www.isoco.com .............. |