[Date Prev][Date Next] [Chronological] [Thread] [Top]

infinite loop with TLS (ITS#659)



Full_Name: Joel Kociolek
Version: latest CVS version (2000-08-14)
OS: Linux Debian potato
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (193.251.1.233)


I found an apparently infinite loop in slapd when using SSL/TLS authentication
if ldapsearch is wrongly configured.

I'm using openldap from latest CVS (as of today 2000-08-14) and ldapsearch as 
a client.

I followed the instructions outlined in 
http://www.OpenLDAP.org/lists/openldap-devel/200006/msg00107.html
to create my keys and certificates, and to configure the slapd server.

For the client config, if I have TLS_CERT TLS_KEY and TLS_CACERT in the config
file,
and i do an "ldapsearch -Z", evrything works fine. But if I remove TLS_CACERT
from
the config file, then slapd seems to hang. Debuging output shows that it
apparently
goes into an infinite loop.

Here is the output from "slapd -d 11" when running "ldapsearch -Z uid=joko" :



@(#) $OpenLDAP: slapd 2.0-devel (Mon Aug 14 17:26:48 CEST 2000) $
        joko@manchot:/home/joko/src/ldap/servers/slapd
daemon_init: listen on ldap:///
daemon_init: 1 listeners to open...
ldap_url_parse(ldap:///)
daemon: socket() failed errno=22 (Invalid argument)
daemon: initialized ldap:///
daemon_init: 1 listeners opened
slapd init: initiated server.
slap_sasl_init: manchot initialized!
slapd startup: initiated.
slapd starting
daemon: added 6r
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: new connection on 9
daemon: added 9r
daemon: activity on:
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 9r
daemon: read activity on 9
connection_get(9): got connid=0
connection_read(9): checking for input on id=0
ber_get_next
sockbuf_read: want=1, got=1
         0
sockbuf_read: want=1, got=1
        1d
sockbuf_read: want=29, got=29
        02 01 01  w 18 80 16  1  .  3  .  6  .  1  .  4
         .  1  .  1  4  6  6  .  2  0  0  3  7
ber_get_next: tag 0x30 len 29 contents:
ber_get_next
sockbuf_read: want=1 error=Resource temporarily unavailable
ber_get_next on fd 9 failed errno=11 (Resource temporarily unavailable)
daemon: select: listen=6 active_threads=1 tvp=NULL
do_extended
ber_scanf fmt ({a) ber:
send_ldap_extended 0: (0)
send_ldap_response: msgid=1 tag=120 err=0
ber_flush: 14 bytes to sd 9
         0 0c 02 01 01  x 07 0a 01 00 04 00 04 00
daemon: activity on 1 descriptors
daemon: activity on: 9r
daemon: read activity on 9
sockbuf_write: want=14, written=14
         0 0c 02 01 01  x 07 0a 01 00 04 00 04 00
connection_get(9): got connid=0
connection_read(9): checking for input on id=0
TLS trace: SSL_accept:before/accept initialization
tls_read: want=7, got=7
        80  k 01 03 01 00  B
tls_read: want=102, got=102
        00 00 00 20 00 00 16 00 00 13 00 00 0a 00 00 07
        00 00 05 00 00 04 00 00 15 00 00 12 00 00 09 07
        00 c0 05 00 80 03 00 80 01 00 80 08 00 80 06 00
         @ 00 00 14 00 00 11 00 00 08 00 00 06 00 00 03
        04 00 80 02 00 80 92 fa d2 9e 11 c8 ac  " c8  X
        07 d9  & f7 e7 96  E a2 ba  @ 94 d7  ) 80 c4 1a
        06 df c5 e7 c4  b
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
tls_write: want=1024, written=1024
        16 03 01 00  J 02 00 00  F 03 01  9 98  M  2 9b
        97 f7 f1  X de c7 cc cb f2 80 10 96 c4  ~  . 90
        88  ` a6  Q eb  C cd f0  L 09 00 20 db  Y  + a5
         ( ab  # af  ( d1  ' 20 f6 0d  q  p  = e4  8 c0
        e5 dc  v  G ea b7 0e ca a1  o  ` 1c 00 0a 00 16
        03 01 07  k 0b 00 07  g 00 07  d 00 03 cb  0 82
        03 c7  0 82 03  0 a0 03 02 01 02 02 01 01  0 0d
        06 09  * 86  H 86 f7 0d 01 01 04 05 00  0 81 92
         1 0b  0 09 06 03  U 04 06 13 02  F  R  1 11  0
        0f 06 03  U 04 08 13 08  B  a  s  -  R  h  i  n
         1 13  0 11 06 03  U 04 07 13 0a  S  t  r  a  s
         b  o  u  r  g  1 10  0 0e 06 03  U 04 0a 13 07
         L  o  g  i  d  e  e  1 0e  0 0c 06 03  U 04 0b
        13 05  S  i  e  g  e  1 18  0 16 06 03  U 04 03
        13 0f  L  o  g  i  d  e  e 20  T  e  s  t 20  C
         A  1 1f  0 1d 06 09  * 86  H 86 f7 0d 01 09 01
        16 10  r  o  o  t  @  l  o  g  i  d  e  e  .  c
         o  m  0 1e 17 0d  0  0  0  8  1  4  1  9  1  7
         0  6  Z 17 0d  0  1  0  8  1  4  1  9  1  7  0
         6  Z  0 81 9d  1 0b  0 09 06 03  U 04 06 13 02
         F  R  1 11  0 0f 06 03  U 04 08 13 08  B  a  s
         -  R  h  i  n  1 13  0 11 06 03  U 04 07 13 0a
         S  t  r  a  s  b  o  u  r  g  1 10  0 0e 06 03
         U 04 0a 13 07  L  o  g  i  d  e  e  1 0e  0 0c
        06 03  U 04 0b 13 05  S  i  e  g  e  1  #  0  !
        06 03  U 04 03 13 1a  m  a  n  c  h  o  t  .  b
         u  r  e  a  u  .  l  o  g  i  d  e  e  .  c  o
         m  1 1f  0 1d 06 09  * 86  H 86 f7 0d 01 09 01
        16 10  r  o  o  t  @  l  o  g  i  d  e  e  .  c
         o  m  0 81 9f  0 0d 06 09  * 86  H 86 f7 0d 01
        01 01 05 00 03 81 8d 00  0 81 89 02 81 81 00 e8
        fa  M 1c  +  U  Q a1 0b d8  | b6 bb eb 0b  { 07
        ed  a db 80  g  g 17  = b3 bf cc 09 cd e7 d0 d2
        02 d1  a d0 88 bf  \ 98  h 0a bd  6  @ a0 1e ea
        9a c5  &  o  : c2 ba 90 8f d4  @  I e1  E 9c  @
         |  N b1 c2 18  q  y e5  S  j cc  8  & 03 11  r
         ] 8d 09  m  ?  j  n 98 9a  v 93  Y af  Y  ]  @
        db 1e 95 bf f2 cb fb 0e c8 a2  v e4 e3  H  H  3
        db b7 b6 8a 93  9 a3 ce c8  "  y  9  9 12 dd 02
        03 01 00 01 a3 82 01 1e  0 82 01 1a  0 09 06 03
         U 1d 13 04 02  0 00  0  , 06 09  ` 86  H 01 86
        f8  B 01 0d 04 1f 16 1d  O  p  e  n  S  S  L 20
         G  e  n  e  r  a  t  e  d 20  C  e  r  t  i  f
         i  c  a  t  e  0 1d 06 03  U 1d 0e 04 16 04 14
        af  _  d  ,  K  J a1  &  Y  D 03 d0 1c  ~ e4 fe
        c6 da  w dc  0 81 bf 06 03  U 1d  # 04 81 b7  0
        81 b4 80 14 c7 9b  L  &  2 a2 99  M  i c2 b6 c7
         w ff  # da e8  / e2  c a1 81 98 a4 81 95  0 81
        92  1 0b  0 09 06 03  U 04 06 13 02  F  R  1 11
         0 0f 06 03  U 04 08 13 08  B  a  s  -  R  h  i
         n  1 13  0 11 06 03  U 04 07 13 0a  S  t  r  a
         s  b  o  u  r  g  1 10  0 0e 06 03  U 04 0a 13
        07  L  o  g  i  d  e  e  1 0e  0 0c 06 03  U 04
        0b 13 05  S  i  e  g  e  1 18  0 16 06 03  U 04
        03 13 0f  L  o  g  i  d  e  e 20  T  e  s  t 20
         C  A  1 1f  0 1d 06 09  * 86  H 86 f7 0d 01 09
        01 16 10  r  o  o  t  @  l  o  g  i  d  e  e  .
         c  o  m 82 01 00  0 0d 06 09  * 86  H 86 f7 0d
        01 01 04 05 00 03 81 81 00  = 04  Q  } b1 da fd
        ea f7 c0 16 90 e8 14 82  d c5 e9 bf a3 0d 90  2
        12 bf  `  g d6 b8 c8 bf cd  = db  U  U ef  %  n
        93 84 03 17 c6  q 11 ed  % 9c f8 f6 ba  Q  q e5
         ` 9e  N  & c2 9d e4 8c 07  v  7 c1  w  :  Y d3
        04 12  [ d3 f6  X f8  P f4  C  - b4 e5 05  v ba
        (end)
TLS trace: SSL_accept:SSLv3 write certificate A
tls_write: want=1024, written=1024
        e7  * 84 1b  7 ea 14 d0 e0 b7 f6 9e 0a  E c6 17
        d3  =  6 11  h  R b4 20 ee  k  I  I b9  > cf 0e
         Q  P ae a2 14  D  B 06  d 00 03 93  0 82 03 8f
         0 82 02 f8 a0 03 02 01 02 02 01 00  0 0d 06 09
         * 86  H 86 f7 0d 01 01 04 05 00  0 81 92  1 0b
         0 09 06 03  U 04 06 13 02  F  R  1 11  0 0f 06
        03  U 04 08 13 08  B  a  s  -  R  h  i  n  1 13
         0 11 06 03  U 04 07 13 0a  S  t  r  a  s  b  o
         u  r  g  1 10  0 0e 06 03  U 04 0a 13 07  L  o
         g  i  d  e  e  1 0e  0 0c 06 03  U 04 0b 13 05
         S  i  e  g  e  1 18  0 16 06 03  U 04 03 13 0f
         L  o  g  i  d  e  e 20  T  e  s  t 20  C  A  1
        1f  0 1d 06 09  * 86  H 86 f7 0d 01 09 01 16 10
         r  o  o  t  @  l  o  g  i  d  e  e  .  c  o  m
         0 1e 17 0d  0  0  0  8  1  4  1  9  1  5  2  4
         Z 17 0d  0  1  0  8  1  4  1  9  1  5  2  4  Z
         0 81 92  1 0b  0 09 06 03  U 04 06 13 02  F  R
         1 11  0 0f 06 03  U 04 08 13 08  B  a  s  -  R
         h  i  n  1 13  0 11 06 03  U 04 07 13 0a  S  t
         r  a  s  b  o  u  r  g  1 10  0 0e 06 03  U 04
        0a 13 07  L  o  g  i  d  e  e  1 0e  0 0c 06 03
         U 04 0b 13 05  S  i  e  g  e  1 18  0 16 06 03
         U 04 03 13 0f  L  o  g  i  d  e  e 20  T  e  s
         t 20  C  A  1 1f  0 1d 06 09  * 86  H 86 f7 0d
        01 09 01 16 10  r  o  o  t  @  l  o  g  i  d  e
         e  .  c  o  m  0 81 9f  0 0d 06 09  * 86  H 86
        f7 0d 01 01 01 05 00 03 81 8d 00  0 81 89 02 81
        81 00 b2 d3  `  R  b b1 84 ab dd e1  C d6 1a 81
         % e2 c8  5  (  5  M 12 cc 1d  > b1  X  A  c  z
         :  a  ( f6  =  P 08 aa a8  7 ec d3 16  . bf be
        02  R bf  6  w  \ fa ed d6 b7 ba  "  n  M d3 83
         X 87 c9 91  V  ^  + 8d  }  J  N 03 1e  K a1 b2
         ` ef 08 bb  ) e5 ca 90  K  Q a4 94  Z 95 ea bc
        ce  W b9 83 a8 c8 ab  ;  ( 05 ef a0 85  3 d5  ]
        bc  U  / c9 e8 c7  f cf b1 c7 13 c0  w  S 9a ee
        ba  9 02 03 01 00 01 a3 81 f2  0 81 ef  0 1d 06
        03  U 1d 0e 04 16 04 14 c7 9b  L  &  2 a2 99  M
         i c2 b6 c7  w ff  # da e8  / e2  c  0 81 bf 06
        03  U 1d  # 04 81 b7  0 81 b4 80 14 c7 9b  L  &
         2 a2 99  M  i c2 b6 c7  w ff  # da e8  / e2  c
        a1 81 98 a4 81 95  0 81 92  1 0b  0 09 06 03  U
        04 06 13 02  F  R  1 11  0 0f 06 03  U 04 08 13
        08  B  a  s  -  R  h  i  n  1 13  0 11 06 03  U
        04 07 13 0a  S  t  r  a  s  b  o  u  r  g  1 10
         0 0e 06 03  U 04 0a 13 07  L  o  g  i  d  e  e
         1 0e  0 0c 06 03  U 04 0b 13 05  S  i  e  g  e
         1 18  0 16 06 03  U 04 03 13 0f  L  o  g  i  d
         e  e 20  T  e  s  t 20  C  A  1 1f  0 1d 06 09
         * 86  H 86 f7 0d 01 09 01 16 10  r  o  o  t  @
         l  o  g  i  d  e  e  .  c  o  m 82 01 00  0 0c
        06 03  U 1d 13 04 05  0 03 01 01 ff  0 0d 06 09
         * 86  H 86 f7 0d 01 01 04 05 00 03 81 81 00  0
         '  g  G  ,  C  }  w 9a  r 7f b7  C 0f f9  B d6
         Y fa  5 17 11  q de fb df  Y de  Q 8f ae ee df
        c6 ac d8 da 87  O  F  V 12 00 fa  9 b8  , ed e9
        00 10  v ca b0 c1 a6 d9 15  z f6 bd c4  . e5 e1
        86 a4 ad  c dd dc  {  g b1  x d1  _ eb 17 95 02
        14  < d0 92 0a  &  }  r 98  T  -  q  d f5  / b1
        f1 d5 b7  D 85 e8  O  M eb a2 04 05  H ab  S eb
        a5  ; a4 ac 86 e8 0d  1  C db  v  " 05 b8  * 16
        03 01 00 a0 0d 00 00 9c 02 01 02 00 97 00 95  0
        81 92  1 0b  0 09 06 03  U 04 06 13 02  F  R  1
        11  0 0f 06 03  U 04 08 13 08  B  a  s  -  R  h
         i  n  1 13  0 11 06 03  U 04 07 13 0a  S  t  r
        (end)
TLS trace: SSL_accept:SSLv3 write certificate request A
TLS trace: SSL_accept:SSLv3 write server done A
tls_write: want=109, written=109
         a  s  b  o  u  r  g  1 10  0 0e 06 03  U 04 0a
        13 07  L  o  g  i  d  e  e  1 0e  0 0c 06 03  U
        04 0b 13 05  S  i  e  g  e  1 18  0 16 06 03  U
        04 03 13 0f  L  o  g  i  d  e  e 20  T  e  s  t
        20  C  A  1 1f  0 1d 06 09  * 86  H 86 f7 0d 01
        09 01 16 10  r  o  o  t  @  l  o  g  i  d  e  e
         .  c  o  m 16 03 01 00 04 0e 00 00 00
TLS trace: SSL_accept:SSLv3 flush data
tls_read: want=5 error=Resource temporarily unavailable
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
daemon: select: listen=6 active_threads=1 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 9r
daemon: read activity on 9
connection_get(9): got connid=0
connection_read(9): checking for input on id=0
tls_read: want=5, got=5
        15 03 01 00 02
tls_read: want=2, got=2
        02  0
TLS trace: SSL3 alert read:fatal:unknown
TLS trace: SSL_accept:failed in SSLv3 read client certificate A
TLS: can't accept.                                                             

TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
s3_pkt.c:774
connection_read(9): TLS accept error error=-1 id=0, closing
connection_closing: readying conn=0 sd=9 for close
sockbuf_read: want=4096, got=64
         0  > 02 01 02  c  9 04 00 0a 01 00 0a 01 00 02
        01 00 02 01 00 01 01 00 87 0b  o  b  j  e  c  t
         c  l  a  s  s  0 19 04 17  s  u  p  p  o  r  t
         e  d  S  A  S  L  M  e  c  h  a  n  i  s  m  s
        (end)
sockbuf_read: want=4096, got=0
        (end)
sockbuf_read: want=4096, got=0
        (end)
sockbuf_read: want=4096, got=0
        (end)
sockbuf_read: want=4096, got=0
        (end)
sockbuf_read: want=4096, got=0
        (end)
[...] 

The same two lines are repeated ad infinitam...


Joel K.