[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#7122) MozNSS linked libldap makes startTLS extremely slow

Full_Name: Quanah Gibson-Mount
Version: 2.4.23 (RHEL build)
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (

As part of http://rhn.redhat.com/errata/RHBA-2011-0673.html, RedHat updated its
OpenLDAP packages to use MozNSS instead of OpenSSL.  However, this has an
immediate negative effect on people who use StartTLS:

| Problem:
| Redhat rebased their openldap server packages to use Mozilla NSS
| instead of the OpenSSL libraries
| (http://rhn.redhat.com/errata/RHBA-2011-0673.html).
| Attempting to authenticate a Zimbra session against this upgraded
| external openLDAP server using starttls results in a 30s delay
| between the beginning of the request and the validation of the
| credentials. I've tested this scenario by rolling back to the
| previous version of openLDAP (2.4.19-15), which restores the
| authentication to an acceptable speed.
| This bug only impacts starttls sessions, utilizing ldaps is an
| acceptable work around for the time being, although we would like to
| return to starttls in the future as ldaps is deprecated in openLDAP.
| Action:
| rolled openLDAP server back to a previous version and the
| authentication returns to normal.