[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Session Resumption problems with JSSE-OpenLDAP

To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Subject: RE: Session Resumption problems with JSSE-OpenLDAP
From: "Cheng, Ted C" <Ted.Cheng@ca.com>
Date: Fri, 31 May 2002 12:25:57 -0400
Cc: openldap-software@OpenLDAP.org, Cameron Morris <CMorris@novell.com>

>From: Kurt D. Zeilenga, 05/30/02 11:48AM
>
>OpenLDAP's slapd doesn't allow resumption of sessions.  slapd
>abruptly closes the LDAP session when the TLS association is
>terminated.  This behavior is allowed per section 4 of RFC 2830.

<RFC2830>
4.2.  Abrupt Closure

Either the client or server MAY abruptly close the entire LDAP
association and any TLS connection established on it by dropping the
underlying TCP connection. A server MAY beforehand send the client a
Notice of Disconnection [LDAPv3] in this case.
</RFC2830>

When SLAPD closes the LDAP session, the underlying TCP connection does
not seem to be dropped reliably. An example, client initiates TLS,
followed by a bind. SLAPD closes the session due to resumption.
If the TCP connection is dropped, client authentication
credential should not have reached SLAPD.

Experiments show that client sends out credential after TLS, then hangs.
SLAPD does not detect bind request - no activity shown on SLAPD logging.
If the ethernet cable is pulled from the SLAPD host, the bind activity
shows from the SLAPD logging.

Breaking into SLAPD code, instead of cable pulling, when client hangs,
there are three threads - daemon, listener, and an idle one. No pending
request. As such, the listener blocking-waits infinitely.

Timing may be an issue. If client is run from a debugger, both JSSE and
SLAPD are happy, business as usual.

-Ted

Prev by Date: Error code
Next by Date: Re: matching ou=(.*)=.. to dn=$1,ou=.. help
Index(es):
- Chronological
- Thread