[Date Prev][Date Next]
(ITS#7122) MozNSS linked libldap makes startTLS extremely slow
Full_Name: Quanah Gibson-Mount
Version: 2.4.23 (RHEL build)
Submission from: (NULL) (188.8.131.52)
As part of http://rhn.redhat.com/errata/RHBA-2011-0673.html, RedHat updated its
OpenLDAP packages to use MozNSS instead of OpenSSL. However, this has an
immediate negative effect on people who use StartTLS:
| Redhat rebased their openldap server packages to use Mozilla NSS
| instead of the OpenSSL libraries
| Attempting to authenticate a Zimbra session against this upgraded
| external openLDAP server using starttls results in a 30s delay
| between the beginning of the request and the validation of the
| credentials. I've tested this scenario by rolling back to the
| previous version of openLDAP (2.4.19-15), which restores the
| authentication to an acceptable speed.
| This bug only impacts starttls sessions, utilizing ldaps is an
| acceptable work around for the time being, although we would like to
| return to starttls in the future as ldaps is deprecated in openLDAP.
| rolled openLDAP server back to a previous version and the
| authentication returns to normal.