[Date Prev][Date Next] [Chronological] [Thread] [Top]

Session Ressumption problems with JSSE-OpenLDAP

Below is a dialog posted on the Software list. Gary and 
Sergio found a problem running SSL between JSSE and OpenLDAP.

Here are the symptoms:
- JSSE app hangs on the second, or third SSL connection to OpenLDAP
  (Using either Java LDAP API or JNDI)
- JSSE app does not hang against Novell or iPlanet.
- Both TLS and SSLv3 hangs.
- Setting the -Djavax.net.debug="all" flag mysteriously fixes
    (This is not a viable workaround because the flag causes Sun's JSSE

    to output everything, this degrades performance could be a security


I submitted a bug to Sun and I haven't heard back yet.  Sergio found a

workaround by invalidating the session for further use after the
is used - I'd suggest doing the same immediately after connection is

I'm very hesitant to check in a fix like that because 1) The bug is in
or OpenSSL and the fix in JLDAP would temporary; and 2) The workaround

would make the Java LDAP much slower for SSL.  

Have any of you found other symptoms like this with OpenSSL?  Does 
OpenLDAP set no caching of sessions?  I assume that this must be
in C.  And finally, has anyone tried a JSSE provider other than Sun's?


>>> "Cameron Morris" <CMorris@novell.com> 12/13/01 02:57PM >>>
The SSLSession stores enough information to connect to servers it has 
already connected to previously.  There is a simplified handshake
for this purpose, called Session resumption.  If a client sends a
with a 
session-ID from a previous session.  The server can chose to resume

previous session or start a new one.  So either the server is choking
on the 
resume request or JSSE could be choking on the denial.  (Since the
flag fixes the problem I'd guess the problem is with JSSE.
I ran a test to see if the problem is JSSE.  In a loop I connect and
- just like Gary's code does.   I put a Sytem.in.read to pause the
each re-connect.  Then I downed eDirectory and brought it up again to 
destroy any cached session keys.  Then I continued the program - it

able to recover the fact that the session was no longer valid on the
So I'd guess the problem is in the OpenLDAP server or in OpenSSL.  A 
sniffer trace showing the handshake would be definitely help.
I'm interested in the out come of this thing so if you find something
please let 
me know.
Cameron Morris
Software Engineer, Directory Services
Novell, Inc.,  The leading provider of Net services software

>>> Sergio Talens-Oliag < sto@isoco.com > 12/13/01 05:49AM >>> 
El Wed, Dec 12, 2001 at 01:20:46PM -0800, Gary Gwin escribió: 
> I've tested Jldap and JNDI using SSL against OpenLdap and both hang
> attempting a second connection/bind operation (e.g. SSL is setup
correctly for 
> at least one successful operation). I'm using RedHat Linux 7.1,
OpenLdap 2.0.11 
> and 2.0.18, and OpenSSL 9.6. I've also tried compiling the test
programs with 
> both JDK 1.3.1 (with JSSE 1.0.2) and JDK 1.4 beta 3 (which includes
JSSE), with 
> no difference. In all cases, the same test programs work fine over
> connections. The JNDI program is included below. Also, if you
the test 
> program with the -Djavax.net.debug="all" flag, it mysteriously

> I've also successfully tested (with the help of Novell), the same
Jldap and JNDI 
> test programs with SSL against Novell eDirectory 8.5 (NetWare 5.1)
and iPlant 
> 5.1 on NT 4.0. 
> It appears that the problem is with OpenSSL/OpenLdap on RedHat Linux
7.1. Does 
> anyone know of any configuration issues or known bugs that might
cause such a 
> problem? 

Yes, we've had similar problems and it seems that the problem is in 
the way the JSSE handles the SSLSession, we've solved it modifying the

file jldap/com/novell/ldap/client/Connection.java to invalidate the 
session when the secure socket is closed. 

The cvs diff output is: 

Index: jldap/com/novell/ldap/client/Connection.java 
RCS file:
retrieving revision 1.61 
diff -u -r1.61 Connection.java 
--- client/Connection.java2001/12/07 22:56:031.61 
+++ client/Connection.java2001/12/13 12:46:30 
@@ -20,6 +20,8 @@ 
import java.io.OutputStream; 
import java.io.BufferedInputStream; 
import java.net.Socket; 
+import javax.net.ssl.SSLSocket; 
+import javax.net.ssl.SSLSession; 

import com.novell.ldap.*; 
import com.novell.ldap.rfc2251.*; 
@@ -455,7 +457,6 @@ 
new Object[] { host, new Integer(port)}, 
LDAPException.CONNECT_ERROR, null, null); 
// Destroy old connection 
shutdown("destroy clone", 0, notify); 
} else { 
@@ -746,8 +747,12 @@ 
in = null; 
out = null; 
if( socket != null) { 
- // Close the socket 
+ // Close the SSLSession and the socket 
try { 
+ if(socket instanceof SSLSocket) { 
+ SSLSession ses = ((SSLSocket)socket).getSession(); 
+ ses.invalidate(); 
+ } 
} catch(java.io.IOException ie) { 
// ignore problem closing socket 

Sergio Talens-Oliag ................ Intelligent Software Components
_ _ _ _ 
Edificio Trade Center Telf: +34 96 3467143 @ |_ | || | | 
c/. Profesor Beltrán Báguena, 4 mailto:sto@isoco.com | _||_||_ |_| 
46009 Valencia (Spain) http://www.isoco.com ..............