[Date Prev][Date Next] [Chronological] [Thread] [Top]

TLS in 2.0.8 vs 2.0.7, openssl 0.9.6, HP-UX 11, gcc

There have been some changes in TLS handling between 2.0.7 and 2.0.8.  I found
I had to make new certificates which had a cn of the slapd hostname in order to
satisfy the client.  That wasn't too bad.

Now, I'm getting failures on TLS connect.  Using -d1 on slapd, the 2.0.7 model
seems to have the same "errors" when reading the client certificate as 2.0.8,
although the verify client certificate flag is off in both cases.  I put

TLSVerifyClient 0

in slapd.conf and put some printf's into openldap to assure myself that
SSL_VERIFY_PEER was not being set in (LDAP *)->verify_mode.

I found that if I try -d-1, for full debugging, it will occasionally succeed,
which is disturbing.  Again, the logs below are -d1 level debugging.

It could be that these lines of difference between the two logs are the key,
but I don't know what they signify:

ber_get_next on fd 7 failed errno=246 (Operation would block)
ber_get_next on fd 7 failed errno=11 (Resource temporarily unavailable)

Is there an openldap or openssl guru out there who can give me a clue about
what I am doing wrong?

@(#) $OpenLDAP: slapd 2.0.7-Release (Tue Apr 17 10:35:02 EDT 2001) $
	aej@hp3com2:/tools/utilities/openldap/openldap-2.0.7/servers/slapd
daemon_init: listen on ldap:///
daemon_init: 1 listeners to open...
ldap_url_parse(ldap:///)
daemon: initialized ldap:///
daemon_init: 1 listeners opened
slapd init: initiated server.
slapd startup: initiated.
slapd starting
connection_get(7): got connid=0
connection_read(7): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 29 contents:
do_extended
ber_scanf fmt ({a) ber:
send_ldap_extended 0: (0)
send_ldap_response: msgid=1 tag=120 err=0
ber_flush: 14 bytes to sd 7
ber_get_next
ber_get_next on fd 7 failed errno=246 (Operation would block)
connection_get(7): got connid=0
connection_read(7): checking for input on id=0
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(7): got connid=0
connection_read(7): checking for input on id=0
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
connection_get(7): got connid=0
connection_read(7): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 58 contents:
do_bind

i.e. it worked.  Trying 2.0.8,

@(#) $OpenLDAP: slapd 2.0.8-Release (Thu May 17 15:08:16 EDT 2001) $
	aej@hp3com2:/tools/utilities/openldap/openldap-2.0.8/servers/slapd
daemon_init: listen on ldap:///
daemon_init: 1 listeners to open...
ldap_url_parse_ext(ldap:///)
daemon: initialized ldap:///
daemon_init: 1 listeners opened
slapd init: initiated server.
slapd startup: initiated.
slapd starting
connection_get(7): got connid=0
connection_read(7): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 29 contents:
do_extended
ber_scanf fmt ({a) ber:
send_ldap_extended 0: (0)
send_ldap_response: msgid=1 tag=120 err=0
ber_flush: 14 bytes to sd 7
ber_get_next
ber_get_next on fd 7 failed errno=11 (Resource temporarily unavailable)
connection_get(7): got connid=0
connection_read(7): checking for input on id=0
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS: can't accept.
connection_read(7): TLS accept error error=-1 id=0, closing
connection_closing: readying conn=0 sd=7 for close
connection_close: conn=0 sd=7

i.e. it failed.
------- end of forwarded message -------