[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS shutdown, order of operations

Jan Vcelak wrote:
Hello list.

I was told by Mozilla NSS developers, that OpenLDAP is shutting down the TLS
context incorrectly. The order of the operations is incorrect at least for
MozNSS backend.

As this part of the code is common for all TLS backends in OpenLDAP, I would
like to be sure about the way of fixing it.

We think, that ber_sockbuf_free() should be called before
ldap_int_tls_destroy() in ldap_ld_free(). Currently, the order is opposite.

This is the original reasoning from John Dennis:
In other words what is happening is an SSL socket is created using an NSS
context (i.e. the NSS context must exist prior to creating the SSL socket).
But when the socket is disposed of the order of operations isn't mirrored in
reverse. The socket should be disposed of first because it belongs to the
NSS context, then the NSS context should be destroyed. But openldap is
performing the opposite, it's destroying the NSS context first and then the

I'm not familiar with OpenSSL and GnuTLS. And I haven't found any information
about ordering the shutdown operations in theirs documentation. I just
went through the OpenLDAP code for other backends and my opinion is, that
this problem is related to all backends. IMO the socket should be really
shut down and closed before destroying the context with opened certificates
and other resources. But maybe I'm wrong.

Please, can somebody confirm or invalidate this?

What you're saying makes sense. However, I think things were set up in this order because technically the socket can outlive the TLS context. (Though in LDAP there is no Stop TLS request, it seems to me that it was intended at some point.)

  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/