[Date Prev][Date Next]
RE: Session Resumption problems with JSSE-OpenLDAP
> -----Original Message-----
> From: owner-openldap-devel@OpenLDAP.org
> [mailto:owner-openldap-devel@OpenLDAP.org]On Behalf Of Ivan Brezina
> I have read thread about this problem in mail archive of
> openldap-software. The most important was this:
> OpenLDAP's slapd doesn't allow resumption of sessions. slapd
> abruptly closes the LDAP session when the TLS association is
> terminated. This behavior is allowed per section 4 of RFC 2830.
As far as I can see, slapd does nothing to prevent sessions from resuming.
slapd does nothing special with TLS sessions, one way or another. The OpenSSL
doc says it must set a session context ID in order to enable session caching,
but it seems to cache sessions even when the context ID is empty.
> What does it mean ? You cannot initalize SSL connection against OpenLDAP
> using Session ID no way ?
I modified ldapsearch to run repeatedly, unbinding each time but preserving
the SSL session handle for re-use on each iteration. After the first
connection established a new session, all of the subsequent iterations worked
fine resuming the session.
> When I run:
> openssl s_client -connect usermap.vc.cvut.cz:ldaps -reconnect
> OpenLDAP(libssl) establishes connection and generates session-ID,
> and it reconnects four times, because libssl allowes it.
Yes, I saw the same behavior. Again, this just confirms that slapd doesn't do
anything special that prevents session resumption from working. The problem
must be in the JSSE client.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
Symas: Premier OpenSource Development and Support