[Date Prev][Date Next] [Chronological] [Thread] [Top]

TLS connect from remote host to slapd hangs


I'm currently having problems getting a new slave server at a remote
site running. I use startTLS and/or imaps for SASL EXTERNAL
authentication. Therefor I have "TLSVerifyClient try" in slapd.conf.

I can access this slapd fine from the server itself. But when I try to
contact the new slave from *anywhere* else the connection hangs during
the initial SSL phase.

There are two ways to get a successfull connect from a different host to
this slave: 
 - turn off TLSVerifyClient
 - run this slapd with -d -1 dumping all output to a ssh connection

Searching the archive I found one message saying that hangs can be
caused by invalid certificates. Well, the certificate is already in use
for imaps and other services - and even works for ldaps when used from
the server itself. 

While playing with s_client I found two things that made me wonder:
 - slapd crashed several times (even my master - whoops)
 - when I terminate slapd when the client hangs, the client continues
   getting the servers certificate as it does with other (working)

Interrupting slapd when a client hangs I get the below output. I hope I
didn't trim it too much.

output from slapd-2.1.8 -d -1:

TLS trace: SSL_accept:SSLv3 write certificate A
tls_write: want=4096, written=4096
tls_write: want=10583, written=8936
TLS trace: SSL_accept:SSLv3 write certificate request A
tls_write: want=1647 error=Resource temporarily unavailable
TLS trace: SSL_accept:error in SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 flush data
daemon: select: listen=6 active_threads=0 tvp=NULL
slap_sig_shutdown: signal 2
slap_sig_shutdown: signal 2
daemon: shutdown requested and initiated.
daemon: closing 6
slapd shutdown: waiting for 0 threads to terminate
slapd shutdown: initiated
ldbm backend syncing
ldbm backend done syncing
====> cache_release_all
slapd shutdown: freeing system resources.
slapd stopped.

output from openssl s_client -host <name> -port 636 -CApath /etc/ssl/certs -prexit

depth=1 /C=DE/ST=NRW/L=Duisburg/O=zutode/CN=Certification
verify return:1
verify return:1

that's the point where the client hangs and I terminate the slapd with
^C. Then the client shows:

21098:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:226:
Certificate chain
 0 s:/C=DE/ST=NRW/O=zutode/CN=badlands.zuto.de/Email=hostmaster@zuto.de
   i:/C=DE/ST=NRW/L=Duisburg/O=zutode/CN=Certification Authority/Email=hostmaster@zuto.de
 1 s:/C=DE/ST=NRW/L=Duisburg/O=zutode/CN=Certification Authority/Email=hostmaster@zuto.de
   i:/C=DE/ST=NRW/L=Duisburg/O=zutode/CN=Certification Authority/Email=hostmaster@zuto.de
Server certificate
No client certificate CA names sent
SSL handshake has read 13032 bytes and written 0 bytes
New, (NONE), Cipher is (NONE)
Server public key is 1024 bit
    Protocol  : TLSv1
    Cipher    : 0000
    Session-ID: AA119C3D611E9DA218158D148B3E7175391E99F8F2FD3CC64E34F6A527520837
    Key-Arg   : None
    Start Time: 1035146200
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

I've tried openldap 2.1.3 and 2.1.8

So my final question is: Does anybody have an Idea, what I'm doing wrong?


KeyID=759975BD fingerprint=887A 4BE3 6AB7 EE3C 4AE0  B0E1 0556 E25A 7599 75BD