RE: Session Resumption problems with JSSE-OpenLDAP

["Davidson, Stuart" <Stuart.Davidson@hp.com>]

Interesting, 4414143 looks like a Sun bug id but I cannot get the description from Sun Solve.

Does anyone have details of the Microsoft bug id which resulted in the fix for Win XP?

Thanks,
	Stuart

The reason I ask is that we are using Win2K and would like to get the fix available there too...

-----Original Message-----
From: Cameron Morris [mailto:CMorris@novell.com]
Sent: Thursday, May 30, 2002 12:32 AM
To: Ted.Cheng@ca.com; openldap-software@OpenLDAP.org
Subject: RE: Session Resumption problems with JSSE-OpenLDAP


It looks like Sun got a different problem associated with this defect. 
They are talking about stopTLS, which does have problems, not about
session resumption. 

- Cameron

>>> "Cheng, Ted C" <Ted.Cheng@ca.com> 05/29/02 01:49PM >>>

Analysis from Sun:

BugId: 4626636    
Synopsis: Session Resumption Hangs against OpenLdap with OpenSSL

The Evaluation section says: 
Closing as a duplicate of 4529751. Although that bug is about JNDI and

not JLDAP, it is essentially the same problem.

BugId: 4529751
Synopsis: JNDI using TLS or SSL hangs on multiple connections

There are some known problems with how directory servers handle 
a SSL/TLS close.

For Windows Active Directory 2000, there is a bug in the server
that doesn't handle reusing a session. See 4414143. This is fixed
in Windows Active Directory XP, scheduled for release in Q1 2002.

i-Planet Directory 5.0 ignores the Start TLS close. Just hangs.  SSL
close didn't seem to be a problem, but maybe that's just coincidental.
The table below lists the TLS/SSL close behavior with directory
servers
when multiple connections (50) were made one after another.

The client was run using JDK1.4 FCS.

As the table suggests SSL close behaves just fine.

The startTLS (tls.close() not called) coloumn lists the behavior when
a new context is used for subsequent connections.
startTLSResponse.close() is not called in this case.

The startTLS (tls.close() called) coloumn lists the behavior when
startTLSResponse.close() is explicitly called, and a new
StartTLSResponse is created using the same context for subsequent
connections.

The Failure reason section of the table below indicates that failures
are due to improper handling of StartTLSResponse.close() by the
server-side implementation. The client-side is handling of TLS close()
is fine.

==========================================================================

Server          startTLS      startTLS        SSL     Failure reason
               (tls.close()   (tls.close()
                called)        not called)
==========================================================================

Windows XP
Active            OK            OK            OK
directory

iPlanet
directory 5.0    FAIL           OK            OK      The server
ignores
                                                     
startTLSResponse.close()
                                                      and hangs, while
the
                                                      client waits for
                                                      the server to
respond.

iPlanet
directory 5.1    FAIL           OK            OK      Same as above

Open ldap
2.0.11           FAIL           OK            OK      The server closes
the
                                                      tcp connection
when
                                                     
StartTLSResponse.close()
                                                      is called

=============================================================================