[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
TLS connect from remote host to slapd hangs
- To: openldap-software@OpenLDAP.org
- Subject: TLS connect from remote host to slapd hangs
- From: bj@zuto.de (Rainer Clasen)
- Date: Sun, 20 Oct 2002 23:07:38 +0200
- Content-disposition: inline
- User-agent: Mutt/1.3.28i
Hello,
I'm currently having problems getting a new slave server at a remote
site running. I use startTLS and/or imaps for SASL EXTERNAL
authentication. Therefor I have "TLSVerifyClient try" in slapd.conf.
I can access this slapd fine from the server itself. But when I try to
contact the new slave from *anywhere* else the connection hangs during
the initial SSL phase.
There are two ways to get a successfull connect from a different host to
this slave:
- turn off TLSVerifyClient
- run this slapd with -d -1 dumping all output to a ssh connection
Searching the archive I found one message saying that hangs can be
caused by invalid certificates. Well, the certificate is already in use
for imaps and other services - and even works for ldaps when used from
the server itself.
While playing with s_client I found two things that made me wonder:
- slapd crashed several times (even my master - whoops)
- when I terminate slapd when the client hangs, the client continues
getting the servers certificate as it does with other (working)
slapds.
Interrupting slapd when a client hangs I get the below output. I hope I
didn't trim it too much.
output from slapd-2.1.8 -d -1:
TLS trace: SSL_accept:SSLv3 write certificate A
tls_write: want=4096, written=4096
[...]
tls_write: want=10583, written=8936
[...]
TLS trace: SSL_accept:SSLv3 write certificate request A
tls_write: want=1647 error=Resource temporarily unavailable
TLS trace: SSL_accept:error in SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 flush data
daemon: select: listen=6 active_threads=0 tvp=NULL
slap_sig_shutdown: signal 2
slap_sig_shutdown: signal 2
daemon: shutdown requested and initiated.
daemon: closing 6
slapd shutdown: waiting for 0 threads to terminate
slapd shutdown: initiated
ldbm backend syncing
ldbm backend done syncing
====> cache_release_all
slapd shutdown: freeing system resources.
slapd stopped.
output from openssl s_client -host <name> -port 636 -CApath /etc/ssl/certs -prexit
CONNECTED(00000003)
depth=1 /C=DE/ST=NRW/L=Duisburg/O=zutode/CN=Certification
Authority/Email=hostmaster@zuto.de
verify return:1
depth=0
/C=DE/ST=NRW/O=zutode/CN=badlands.zuto.de/Email=hostmaster@zuto.de
verify return:1
that's the point where the client hangs and I terminate the slapd with
^C. Then the client shows:
21098:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:226:
---
Certificate chain
0 s:/C=DE/ST=NRW/O=zutode/CN=badlands.zuto.de/Email=hostmaster@zuto.de
i:/C=DE/ST=NRW/L=Duisburg/O=zutode/CN=Certification Authority/Email=hostmaster@zuto.de
1 s:/C=DE/ST=NRW/L=Duisburg/O=zutode/CN=Certification Authority/Email=hostmaster@zuto.de
i:/C=DE/ST=NRW/L=Duisburg/O=zutode/CN=Certification Authority/Email=hostmaster@zuto.de
---
Server certificate
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
subject=<...>
issuer=<...>
---
No client certificate CA names sent
---
SSL handshake has read 13032 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID: AA119C3D611E9DA218158D148B3E7175391E99F8F2FD3CC64E34F6A527520837
Session-ID-ctx:
Master-Key:
Key-Arg : None
Start Time: 1035146200
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
I've tried openldap 2.1.3 and 2.1.8
So my final question is: Does anybody have an Idea, what I'm doing wrong?
Rainer
--
KeyID=759975BD fingerprint=887A 4BE3 6AB7 EE3C 4AE0 B0E1 0556 E25A 7599 75BD