[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Session Resumption problems with JSSE-OpenLDAP

On May 30, 2002, "Kurt D. Zeilenga" wrote:

> OpenLDAP's slapd doesn't allow resumption of sessions.  slapd
> abruptly closes the LDAP session when the TLS association is
> terminated.  This behavior is allowed per section 4 of RFC 2830.


Sorry for the semi-duplicate post; I should have followed up to this

We are encountering what I believe is the "session resumption" problem
that has been described on this thread.  I notice that there is an ITS
entry (1895) which is closed with the comment that it is a bug in
Sun's JSSE and the workaround referenced is to use the JSSE from IBM's

We are finding that IBM's JSSE does not resolve the problem.  We have
noted that the problem (hanging SSL connections) does not seem to
occur when the slapd (2.0.21) server loads the OpenSSL 0.9.6c libs,
but it does occur with any later version of OpenSSL.  Has anyone else
experienced this and if so do you know why this is?

Evidently (from reading other posts on this thread) this problem is
not fixed in Sun's jdk 1.4.  I'm not well versed in the details of how
SSL/TLS works, so can anyone clarify the nature of the "bug" in JSSE?
>From Kurt's comment above, it sounds like SSL/TLS session resumption
is not supported in slapd.  Is the problem then that JSSE is trying to
resume the session but not correctly detecting that the session was

Even if this is Sun's bug, since they have not fixed it is there a
workaround on the server side?  I don't really want to say "sorry, you
can't do SSL" to Java clients, particularly since that is the primary
enterprise development environment used here.  Staying with OpenSSL
0.9.6c is not an option for security reasons.

Another question regarding Kurt't comment about abrupt session closure
-- we have been attempting to pool SSL LDAP connections on the client
side.  Does this "abrupt closure" behavior mean that this is not a
good idea, and that each client process/thread should open, use, and
close its own connection to slapd?

Many thanks,