[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#4354) syncrepl over sasl external tls fails

Full_Name: Klaus Lemkau
Version: 2.3.18
OS: debian sarge
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (130.149.2.225)


Hello,

with openldap-2.3.11 I had no problens
replicating a master-server with syncrepl
over SASL EXTERNAL using ssl-x509 certificates.

openldap-2.3.18 gives me this error:
(log of the master)

TLS trace: SSL_accept:SSLv3 flush data
tls_read: want=5 error=Resource temporarily unavailable
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: activity on 1 descriptor
daemon: activity on: 14r
daemon: read activity on 14
connection_get(14)
connection_get(14): got connid=0
connection_read(14): checking for input on id=0
tls_read: want=5, got=5
  0000:  15 03 01 00 02                                     .....
tls_read: want=2, got=2
  0000:  02 0a                                              ..
TLS trace: SSL3 alert read:fatal:unexpected_message
TLS trace: SSL_accept:failed in SSLv3 read client certificate A
TLS: can't accept.
TLS: error:140943F2:SSL routines:SSL3_READ_BYTES:sslv3 alert unexpected message
s3_pkt.c:1052
connection_read(14): TLS accept failure error=-1 id=0, closing

I've found, that all versions since 2.3.12 have the same behavior.

any hints ?

thanks

Klaus Lemkau

ps.:
slapd.conf master
#...
TLSVerifyClient demand
TLSCipherSuite          HIGH:MEDIUM:+SSLv3
TLSCertificateFile      /home/ldap/certs/ServerCert.pem
TLSCertificateKeyFile   /home/ldap/certs/ServerKey.pem
TLSCACertificateFile    /home/ldap/certs/AllCerts.pem
TLSRandFile             /home/ldap/.rnd
TLSCRLCheck             none
#...
overlay         syncprov
#...

slapd.conf slave
#...
TLSVerifyClient hard
TLSCipherSuite          HIGH:MEDIUM:+SSLv3
TLSCertificateFile      /home/ldap/certs/ServerCert.pem
TLSCertificateKeyFile   /home/ldap/certs/ServerKey.pem
TLSCACertificateFile    /home/ldap/certs/AllCerts.pem
TLSRandFile             /home/ldap/.rnd
#...
syncrepl        rid=200
                provider="ldaps://master_url:1636"
                bindmethod=sasl
                saslmech="external"
                searchbase="dc=TU-Berlin,dc=DE"
                filter="(objectClass=*)"
                schemachecking=off
                scope=sub
                type=refreshAndPersist
                interval=00:00:01:00
updateref       "ldaps://master_url:1636"
#...


OS is debian sarge
openssl_0.9.7e
sasl-2.1.19
bdb-4.2.52