Full_Name: Quanah Gibson-Mount Version: 2.4.7 OS: NA URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (24.23.156.219) Setting TLSCipherSuite to "cipher1 cipher2" rather than "cipher1:cipher2" causes slapd to hang on startup (at least when using GnuTLS). It appears to be hanging indefinitely in ldap_pvt_tls_set_option() --Quanah
On Tue, Jan 29, 2008 at 11:31:43AM -0800, Quanah Gibson-Mount wrote: > --On Tuesday, January 29, 2008 11:09 AM -0800 Steve Langasek > <vorlon@debian.org> wrote: > > Anyway, the documented syntax for TLSCipherSuite is "$cipher1:$cipher2", > > not "$cipher1 $cipher2"; but setting such values gives me a hang on > > startup (which should be investigated). > Filed upstream: > <http://www.OpenLDAP.org/its/index.cgi?findid=5341> Sorry, the description of this ITS is inverted. It's *valid* ciphersuite values (i.e., "cipher1:cipher2") that cause the hang; invalid space-separated values are merely truncated after the first cipher in the list, which doesn't cause a hang, it just prevents the cipher list from being useful. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ slangasek@ubuntu.com vorlon@debian.org
I ran into this problem a little while ago and scribbled up the attached patch to fix it. It's trivial enough and it works in my testing here. Cheers, Kyle Moffett
On Jan 31, 2008 12:29 AM, Kyle Moffett <kyle@moffetthome.net> wrote: > I ran into this problem a little while ago and scribbled up the > attached patch to fix it. It's trivial enough and it works in my > testing here. Sorry, the patch seems to have gone out MIME-encoded and mostly useless to people who want to download it from the bug-tracker. Let me try again... (Sorry, still getting used to a new email client) Cheers, Kyle Moffett
On Jan 31, 2008 7:43 AM, Kyle Moffett <kyle@moffetthome.net> wrote: > On Jan 31, 2008 12:29 AM, Kyle Moffett <kyle@moffetthome.net> wrote: > > I ran into this problem a little while ago and scribbled up the > > attached patch to fix it. It's trivial enough and it works in my > > testing here. > > Sorry, the patch seems to have gone out MIME-encoded and mostly > useless to people who want to download it from the bug-tracker. Let > me try again... (Sorry, still getting used to a new email client) Well damn, it still didn't work. Hopefully gmail won't mangle a pasted patch. Again, my apologies for the mess. Cheers, Kyle Moffett --- openldap-2.4.7/libraries/libldap/tls.c.orig 2007-12-21 19:24:08.000000000 -0500 +++ openldap-2.4.7/libraries/libldap/tls.c 2007-12-21 19:36:02.000000000 -0500 @@ -300,6 +300,7 @@ for (i=0; i<n_ciphers; i++) { if ( !strncasecmp( ciphers[i].name, ptr, len )) { num++; + ptr = end + 1; break; } } @@ -330,6 +331,7 @@ * only appear once in each list. */ if ( !strncasecmp( ciphers[i].name, ptr, len )) { + ptr = end + 1; for (j=0; j<nkx; j++) if ( kx[j] == ciphers[i].kx ) break;
moved from Incoming to Software Bugs
Hi Kyle, On Fri, Feb 01, 2008 at 12:15:52AM -0500, Kyle Moffett wrote: > On Jan 29, 2008 2:55 PM, Steve Langasek <vorlon@debian.org> wrote: > > On Tue, Jan 29, 2008 at 11:31:43AM -0800, Quanah Gibson-Mount wrote: > > > --On Tuesday, January 29, 2008 11:09 AM -0800 Steve Langasek <vorlon@debian.org> wrote: > > > > Anyway, the documented syntax for TLSCipherSuite is "$cipher1:$cipher2", > > > > not "$cipher1 $cipher2"; but setting such values gives me a hang on > > > > startup (which should be investigated). > > > Filed upstream: > > > <http://www.OpenLDAP.org/its/index.cgi?findid=5341> > > Sorry, the description of this ITS is inverted. It's *valid* ciphersuite > > values (i.e., "cipher1:cipher2") that cause the hang; invalid > > space-separated values are merely truncated after the first cipher in the > > list, which doesn't cause a hang, it just prevents the cipher list from > > being useful. > Steve, would you mind testing the patch I posted there? It fixed the > problem for me when I wrote it a month or two ago, hopefully it will > fix the problem for you too. Thanks, I can confirm this fixes the problem here. I'm able to set multiple ciphers in a TLSCipherSuite list, and able to connect appropriately with ldapsearch and gnutls-cli after the change. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ slangasek@ubuntu.com vorlon@debian.org
changed notes changed state Open to Test
changed notes changed state Test to Release
changed notes changed state Release to Closed
moved from Software Bugs to Archive.Software Bugs
fixed in HEAD fixed in 2.4.8