Strange TLS behaviour with slapd 2.3.30 on Debian Etch

[Denis Sacchet <ouba@ouba.org>]

Hello,

I have a strange behaviour regarding TLS encryption with an LDAP server. 
Everything works like a charm for a while, and without any sign, the 
server begins to not respond for TLS traffic. As the server is partially 
open on internet, I force TLS, so it is very annoying for us.

I change a lot of parameters, I already read several thread about that 
(and more specially, the one with exactly the same error message as me, 
where it was solved by specifying the same ciphers in slapd.conf and 
ldap.conf, but it doesn't work for me ...)

You will find all my parameters below, hope I forget nothing. I can 
provide more log files with and without the problem on demand.

The ldap server is used by apache, postfix, saslauthd, pam_ldap, 
nss_ldap ...

Thanks in advance if someone can found a solution for me !!!

Best regards

Denis Sacchet

===================

Here are all the information I can give you :

@(#) $OpenLDAP: slapd 2.3.30 (Mar  9 2007 05:43:02) $

on a Debian Etch server, here are the link information for slapd:

        linux-gate.so.1 =>  (0xffffe000)
        libldap_r-2.3.so.0 => /usr/lib/libldap_r-2.3.so.0 (0xb7f41000)
        liblber-2.3.so.0 => /usr/lib/liblber-2.3.so.0 (0xb7f35000)
        libiodbc.so.2 => /usr/lib/libiodbc.so.2 (0xb7eed000)
        libslp.so.1 => /usr/lib/libslp.so.1 (0xb7ede000)
        libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7ec8000)
        libssl.so.0.9.8 => /usr/lib/i686/cmov/libssl.so.0.9.8 (0xb7e89000)
        libcrypto.so.0.9.8 => /usr/lib/i686/cmov/libcrypto.so.0.9.8 
(0xb7d4f000)
        libcrypt.so.1 => /lib/tls/i686/cmov/libcrypt.so.1 (0xb7d21000)
        libresolv.so.2 => /lib/tls/i686/cmov/libresolv.so.2 (0xb7d0d000)
        libpthread.so.0 => /lib/tls/i686/cmov/libpthread.so.0 (0xb7cfb000)
        libltdl.so.3 => /usr/lib/libltdl.so.3 (0xb7cf4000)
        libwrap.so.0 => /lib/libwrap.so.0 (0xb7cec000)
        libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7bbb000)
        libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0xb7bb7000)
        libnsl.so.1 => /lib/tls/i686/cmov/libnsl.so.1 (0xb7ba0000)
        libz.so.1 => /usr/lib/libz.so.1 (0xb7b8c000)
        /lib/ld-linux.so.2 (0xb7f88000)

The same for ldapsearch :

        linux-gate.so.1 =>  (0xffffe000)
        libldap-2.3.so.0 => /usr/lib/libldap-2.3.so.0 (0xb7f8d000)
        liblber-2.3.so.0 => /usr/lib/liblber-2.3.so.0 (0xb7f81000)
        libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7f6a000)
        libssl.so.0.9.8 => /usr/lib/i686/cmov/libssl.so.0.9.8 (0xb7f2b000)
        libcrypto.so.0.9.8 => /usr/lib/i686/cmov/libcrypto.so.0.9.8 
(0xb7df1000)
        libcrypt.so.1 => /lib/tls/i686/cmov/libcrypt.so.1 (0xb7dc3000)
        libresolv.so.2 => /lib/tls/i686/cmov/libresolv.so.2 (0xb7db0000)
        libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7c7f000)
        libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0xb7c7a000)
        libz.so.1 => /usr/lib/libz.so.1 (0xb7c66000)
        /lib/ld-linux.so.2 (0xb7fca000)

A part of my slapd.conf (no acl, no pass :) ) :

include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/rfc2307bis.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/mozillaabpersonalpha.schema
include         /etc/ldap/schema/evolutionperson.schema
include         /etc/ldap/schema/ouba.schema
include         /etc/ldap/schema/samba.schema

pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd/slapd.args

modulepath      /usr/lib/ldap
moduleload      back_bdb
moduleload      smbk5pwd
backend         bdb
checkpoint 512 30

sizelimit 500
tool-threads 1

security ssf=128
disasllow bind_anon
password-hash {SHA}

TLSCACertificateFile /etc/ssl/certs/<hiddendomain>.pem
TLSCertificateFile /etc/ldap/ssl/ldap.<hiddendomain>.com.crt
TLSCertificateKeyFile /etc/ldap/ssl/ldap.<hiddendomain>.com.key
TLSCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP
TLSVerifyClient never
TLSCRLCheck none
TLSRandFile /dev/hwrng

loglevel        any

#######################################################################
# <hiddendomain>.com database
database        bdb
overlay         smbk5pwd
suffix          "dc=<hiddendomain>,dc=com"
rootdn          "cn=Manager,dc=<hiddendomain>,dc=com"
directory       "/var/lib/ldap/<hiddendomain>.com"
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
index           objectClass eq uid uidNumber memberUid gidNumber service
lastmod         on
replogfile      /var/lib/ldap/<hiddendomain>.com/replog

My ldap.conf file :

TLS_CACERT /etc/ssl/certs/<hiddendomain>.pem
TLSCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP

BASE    dc=<hiddendomain>, dc=com
URI     ldap://ldap.<hiddendomain>.com:389

A trace of ldapsearch when there is the problem :

ldapsearch  -D "uid=dsacchet,ou=accounts,dc=<hiddendomain>,dc=com" -h 
"ldap.<hiddendomain>.com" -ZZ -W -x -d 9 "(objectClass=*)"
ldap_create
ldap_url_parse_ext(ldap://ldap.<hiddendomain>.com)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap.<hiddendomain>.com:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 88.191.47.236:389
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush: 31 bytes to sd 3
ldap_result ld 0x8057558 msgid 1
ldap_chkResponseList ld 0x8057558 msgid 1 all 1
ldap_chkResponseList returns ld 0x8057558 NULL
wait4msg ld 0x8057558 msgid 1 (infinite timeout)
wait4msg continue ld 0x8057558 msgid 1 all 1
** ld 0x8057558 Connections:
* host: ldap.<hiddendomain>.com  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Mon Dec 10 08:21:46 2007

** ld 0x8057558 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
** ld 0x8057558 Response Queue:
   Empty
ldap_chkResponseList ld 0x8057558 msgid 1 all 1
ldap_chkResponseList returns ld 0x8057558 NULL
ldap_int_select
read1msg: ld 0x8057558 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x8057558 msgid 1 message type extended-result
ber_scanf fmt ({eaa) ber:
read1msg: ld 0x8057558 0 new referrals
read1msg:  mark request completed, ld 0x8057558 msgid 1
request done: ld 0x8057558 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection 0 1
ldap_free_connection: refcnt 1
ldap_parse_extended_result
ber_scanf fmt ({eaa) ber:
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 0, subject: 
/C=FR/ST=Lorraine/L=Nancy/O=<hiddencompany>/OU=<hiddencompany>/CN=<hiddencompany> 
Root C.A./emailAddress=it@<hiddendomain>.com, issuer: 
/C=FR/ST=Lorraine/L=Nancy/O=<hiddencompany>/OU=<hiddencompany>/CN=<hiddencompany> 
Root C.A./emailAddress=it@<hiddendomain>.com
TLS certificate verification: depth: 0, err: 0, subject: 
/C=FR/ST=Lorraine/L=Nancy/O=<hiddencompany>/OU=<hiddencompany>/CN=smtp.<hiddendomain>.com/emailAddress=it@<hiddendomain>.com, 
issuer: 
/C=FR/ST=Lorraine/L=Nancy/O=<hiddencompany>/OU=<hiddencompany>/CN=<hiddencompany> 
Root C.A./emailAddress=it@<hiddendomain>.com
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server certificate request A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client certificate A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL3 alert read:fatal:handshake failure
TLS trace: SSL_connect:failed in SSLv3 read finished A
TLS: can't connect.
ldap_perror
ldap_start_tls: Connect error (-11)
        additional info: error:14094410:SSL 
routines:SSL3_READ_BYTES:sslv3 alert handshake failure

The same just after a fresh restart :

 # ldapsearch  -D "uid=dsacchet,ou=accounts,dc=<hiddendomain>,dc=com" 
-h "ldap.<hiddendomain>.com" -ZZ -W -x -d 9 "(objectClass=*)"
ldap_create
ldap_url_parse_ext(ldap://ldap.<hiddendomain>.com)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap.<hiddendomain>.com:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 88.191.47.236:389
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush: 31 bytes to sd 3
ldap_result ld 0x8057558 msgid 1
ldap_chkResponseList ld 0x8057558 msgid 1 all 1
ldap_chkResponseList returns ld 0x8057558 NULL
wait4msg ld 0x8057558 msgid 1 (infinite timeout)
wait4msg continue ld 0x8057558 msgid 1 all 1
** ld 0x8057558 Connections:
* host: ldap.<hiddendomain>.com  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Mon Dec 10 08:22:20 2007

** ld 0x8057558 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
** ld 0x8057558 Response Queue:
   Empty
ldap_chkResponseList ld 0x8057558 msgid 1 all 1
ldap_chkResponseList returns ld 0x8057558 NULL
ldap_int_select
read1msg: ld 0x8057558 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x8057558 msgid 1 message type extended-result
ber_scanf fmt ({eaa) ber:
read1msg: ld 0x8057558 0 new referrals
read1msg:  mark request completed, ld 0x8057558 msgid 1
request done: ld 0x8057558 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection 0 1
ldap_free_connection: refcnt 1
ldap_parse_extended_result
ber_scanf fmt ({eaa) ber:
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 0, subject: 
/C=FR/ST=Lorraine/L=Nancy/O=<hiddencompany>/OU=<hiddencompany>/CN=<hiddencompany> 
Root C.A./emailAddress=it@<hiddendomain>.com, issuer: 
/C=FR/ST=Lorraine/L=Nancy/O=<hiddencompany>/OU=<hiddencompany>/CN=<hiddencompany> 
Root C.A./emailAddress=it@<hiddendomain>.com
TLS certificate verification: depth: 0, err: 0, subject: 
/C=FR/ST=Lorraine/L=Nancy/O=<hiddencompany>/OU=<hiddencompany>/CN=smtp.<hiddendomain>.com/emailAddress=it@<hiddendomain>.com, 
issuer: 
/C=FR/ST=Lorraine/L=Nancy/O=<hiddencompany>/OU=<hiddencompany>/CN=<hiddencompany> 
Root C.A./emailAddress=it@<hiddendomain>.com
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL_connect:SSLv3 read finished A
Enter LDAP Password:

--
Denis Sacchet aka. Ouba                     ("`-/")_.-'"``-._
                                             . . `; -._    )-;-,_`)
"Computers are like air conditionners       (v_,)'  _  )`-.\  ``-'
They stop working properly when you        _.- _..-_/ / ((.'
open Windows !!!"                        ((,.-'   ((,/