[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Session Resumption problems with JSSE-OpenLDAP

> -----Original Message-----
> From: owner-openldap-devel@OpenLDAP.org
> [mailto:owner-openldap-devel@OpenLDAP.org]On Behalf Of Ivan Brezina

> Hi,
> I have read thread about this problem in mail archive of
> openldap-software. The most important was this:
> <cite
> href="http://www.openldap.org/lists/openldap-software/200205/msg006
> 03.html">
> OpenLDAP's slapd doesn't allow resumption of sessions.  slapd
> abruptly closes the LDAP session when the TLS association is
> terminated.  This behavior is allowed per section 4 of RFC 2830.
> </cite>

As far as I can see, slapd does nothing to prevent sessions from resuming.
slapd does nothing special with TLS sessions, one way or another. The OpenSSL
doc says it must set a session context ID in order to enable session caching,
but it seems to cache sessions even when the context ID is empty.
> What does it mean ? You cannot initalize SSL connection against OpenLDAP
> using Session ID no way ?

I modified ldapsearch to run repeatedly, unbinding each time but preserving
the SSL session handle for re-use on each iteration. After the first
connection established a new session, all of the subsequent iterations worked
fine resuming the session.

> When I run:
> openssl s_client -connect usermap.vc.cvut.cz:ldaps -reconnect
> OpenLDAP(libssl) establishes connection and generates session-ID,
> and it reconnects four times, because libssl allowes it.

Yes, I saw the same behavior. Again, this just confirms that slapd doesn't do
anything special that prevents session resumption from working. The problem
must be in the JSSE client.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support