Issue 6610 - Client receives SIGPIPE when connected via ldapi with TLS
Summary: Client receives SIGPIPE when connected via ldapi with TLS
Status: VERIFIED WORKSFORME
Alias: None
Product: OpenLDAP
Classification: Unclassified
Component: slapd (show other issues)
Version: 2.4.23
Hardware: All All
: --- normal
Target Milestone: ---
Assignee: OpenLDAP project
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-07-29 06:55 UTC by jzeleny@redhat.com
Modified: 2020-03-19 22:07 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this issue.
Description jzeleny@redhat.com 2010-07-29 06:55:54 UTC
Full_Name: Jan Zeleny
Version: 2.4.23
OS: Linux
URL: http://jzeleny.fedorapeople.org/debug/openldap/sigpipe-traces.tar.bz2
Submission from: (NULL) (209.132.186.34)


When running slapd listening on local socket (ldapi:///), clients connecting to
it will sometimes SIGPIPE when using TLS. This happens in about 70% times.

How to reproduce:
generate a pem certificate
slapd -h ldapi:///
ldapsearch -H ldapi:/// -ZZ -x -d -1

I'm attaching straces from both slapd and ldapsearch. What seems to be happening
is that slapd receives EAGAIN during the read from socket, marks it for another
read, but then terminates a reading thread and closes the connection, while
client still wants to write some data. When doing ldapsearch, it does this after
result was returned, that's why it can be seen probably only in debugging mode.

The issue was originally reported on 2.3.43, but I successfully reproduced it on
newer versions, including 2.4.23. The only exception was Fedora rawhide version
(currently 2.4.22), which is built with NSS instead of OpenSSL. NSS (and NSPR)
doesn't seem to support local sockets at all, so it is not possible to use ldapi
with -ZZ any more.

I'm attaching straces from both successful and unsuccessful run. For complete
information here is URL of relevant redhat bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=564108
Comment 1 Howard Chu 2010-07-29 09:33:16 UTC
jzeleny@redhat.com wrote:
> Full_Name: Jan Zeleny
> Version: 2.4.23
> OS: Linux
> URL: http://jzeleny.fedorapeople.org/debug/openldap/sigpipe-traces.tar.bz2
> Submission from: (NULL) (209.132.186.34)
>
>
> When running slapd listening on local socket (ldapi:///), clients connecting to
> it will sometimes SIGPIPE when using TLS. This happens in about 70% times.
>
> How to reproduce:
> generate a pem certificate
> slapd -h ldapi:///
> ldapsearch -H ldapi:/// -ZZ -x -d -1
>
> I'm attaching straces from both slapd and ldapsearch. What seems to be happening
> is that slapd receives EAGAIN during the read from socket, marks it for another
> read, but then terminates a reading thread and closes the connection, while
> client still wants to write some data. When doing ldapsearch, it does this after
> result was returned, that's why it can be seen probably only in debugging mode.
>
> The issue was originally reported on 2.3.43, but I successfully reproduced it on
> newer versions, including 2.4.23. The only exception was Fedora rawhide version
> (currently 2.4.22), which is built with NSS instead of OpenSSL. NSS (and NSPR)
> doesn't seem to support local sockets at all, so it is not possible to use ldapi
> with -ZZ any more.

Not sure this is worth investigating, since there's no reason to use TLS on 
ldapi://, and as you already said, it won't even be possible with the upcoming 
(rawhide) packages.

> I'm attaching straces from both successful and unsuccessful run. For complete
> information here is URL of relevant redhat bugzilla:
> https://bugzilla.redhat.com/show_bug.cgi?id=564108

In regards to the original report, just leave ssl off in the nss_ldap config. 
Use the starttls URL extension instead.
   ldap://host/????starttls
	
-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Comment 2 Quanah Gibson-Mount 2017-04-07 17:54:48 UTC
moved from Incoming to Software Bugs
Comment 3 Quanah Gibson-Mount 2020-03-19 22:07:26 UTC
I have no issues using ldapsearch with -ZZ over ldapi at all, and have used it for many years.  This may have been fixed as a result of later fixes specific to LDAPI.