[Date Prev][Date Next] [Chronological] [Thread] [Top]

Fwd: Re: OpenLdap Fails with JNDI/SSL Connects

The SSLSession stores enough information to connect to servers it has
already connected to previously.  There is a simplified handshake designed
for this purpose, called Session resumption.  If a client sends a hello with a
session-ID from a previous session.  The server can chose to resume the
previous session or start a new one.  So either the server is choking on the
resume request or JSSE could be choking on the denial.  (Since the debug
flag fixes the problem I'd guess the problem is with JSSE.
I ran a test to see if the problem is JSSE.  In a loop I connect and re-connect
- just like Gary's code does.   I put a Sytem.in.read to pause the code after
each re-connect.  Then I downed eDirectory and brought it up again to
destroy any cached session keys.  Then I continued the program - it was
able to recover the fact that the session was no longer valid on the server.  
So I'd guess the problem is in the OpenLDAP server or in OpenSSL.  A
sniffer trace showing the handshake would be definitely help.
I'm interested in the out come of this thing so if you find something please let
me know.
Cameron Morris
Software Engineer, Directory Services
Novell, Inc.,  The leading provider of Net services software

>>> Sergio Talens-Oliag < sto@isoco.com > 12/13/01 05:49AM >>>
El Wed, Dec 12, 2001 at 01:20:46PM -0800, Gary Gwin escribió:
> I've tested Jldap and JNDI using SSL against OpenLdap and both hang upon
> attempting a second connection/bind operation (e.g. SSL is setup correctly for
> at least one successful operation). I'm using RedHat Linux 7.1, OpenLdap 2.0.11
> and 2.0.18, and OpenSSL 9.6. I've also tried compiling the test programs with
> both JDK 1.3.1 (with JSSE 1.0.2) and JDK 1.4 beta 3 (which includes JSSE), with
> no difference. In all cases, the same test programs work fine over non-SSL
> connections. The JNDI program is included below. Also, if you startup the test
> program with the -Djavax.net.debug="all" flag, it mysteriously works.
> I've also successfully tested (with the help of Novell), the same Jldap and JNDI
> test programs with SSL against Novell eDirectory 8.5 (NetWare 5.1) and iPlant
> 5.1 on NT 4.0.
> It appears that the problem is with OpenSSL/OpenLdap on RedHat Linux 7.1. Does
> anyone know of any configuration issues or known bugs that might cause such a
> problem?

Yes, we've had similar problems and it seems that the problem is in
the way the JSSE handles the SSLSession, we've solved it modifying the
file jldap/com/novell/ldap/client/Connection.java to invalidate the
session when the secure socket is closed.

The cvs diff output is:

Index: jldap/com/novell/ldap/client/Connection.java
RCS file: /repo/OpenLDAP/pkg/jldap/com/novell/ldap/client/Connection.java,v
retrieving revision 1.61
diff -u -r1.61 Connection.java
--- client/Connection.java2001/12/07 22:56:031.61
+++ client/Connection.java2001/12/13 12:46:30
@@ -20,6 +20,8 @@
import java.io.OutputStream;
import java.io.BufferedInputStream;
import java.net.Socket;
+import javax.net.ssl.SSLSocket;
+import javax.net.ssl.SSLSession;

import com.novell.ldap.*;
import com.novell.ldap.rfc2251.*;
@@ -455,7 +457,6 @@
new Object[] { host, new Integer(port)},
LDAPException.CONNECT_ERROR, null, null);
// Destroy old connection
shutdown("destroy clone", 0, notify);
} else {
@@ -746,8 +747,12 @@
in = null;
out = null;
if( socket != null) {
- // Close the socket
+ // Close the SSLSession and the socket
try {
+ if(socket instanceof SSLSocket) {
+ SSLSession ses = ((SSLSocket)socket).getSession();
+ ses.invalidate();
+ }
} catch(java.io.IOException ie) {
// ignore problem closing socket

Sergio Talens-Oliag ................ Intelligent Software Components S.A.
_ _ _ _
Edificio Trade Center Telf: +34 96 3467143 @ |_ | || | |
c/. Profesor Beltrán Báguena, 4 mailto:sto@isoco.com | _||_||_ |_|
46009 Valencia (Spain) http://www.isoco.com ..............