[Date Prev][Date Next]
RE: Session Resumption problems with JSSE-OpenLDAP
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of John David Garza
> So, has there been any update to this openldap bug?
The bug report (ITS#1895) was closed Sep 19 2002. OpenLDAP 2.1.x released
after that date does not have this issue.
> Does upgrading to 2.1.5 solve the problem? We are currently having
> this problem with
> redhat linux with the rpm openldap-2.0.27-2.7.3. Upgrading
> our java to
> 1.4.1 from sun didn't have any effect.
> In our ldap logs we can see our second ssl connections hanging. From
> the discussions on the list archive it seems the clean thing to do
> would be to have openldap play nice and send clients a notice of
> disconnection, as described in Te Cheng's reference to the rfc in his
"notice of disconnect" is sent automatically by the SSL library.
> > On Wed, 18 Sep 2002, Howard Chu wrote:
> > > In my own testing I found that SSL session resumption
> using OpenSSL
> > > 0.9.6d worked fine with (a modified) ldapsearch and (unmodified)
> > > slapd. When I upgraded to OpenSSL 0.9.6g it failed with an error
> > > code but I never saw a hang. The failure was because libldap never
> > > initialized OpenSSL's session ID context; this seemed to work fine
> > > with a NULL context in OpenSSL 0.9.6d. A patch has been applied to
> > > libldap/tls.c in CVS to set the session ID. This patch will be in
> > > OpenLDAP 2.1.5.
> > That's helpful. We're still using 2.0.2 but I will keep this in
> > mind. We are seeing the "hangs" described in earlier
> messages on this
> > thread with any OpenSSL other than 0.9.6c (actually have not tried
> > anything less than "b", to be precise).
> > > I try to touch Java as little as possible, but just for
> > > sake I fired up my copy of Jarek Gawor's ldapbrowser 2.8.2 again,
> > > with Sun's Java2SDK1.4.0 on my Windows box. After it told me my CA
> > > cert was unrecognized, it connected fine using ldaps://. I then
> > > disconnected and reconnected without any problems. Watching the
> > > slapd debug log I can see that it's resuming the session
> as there is
> > > no exchange of client or server certificates on the reconnect.
> > What loglevel shows the SSL exchanges? We generally don't have
> > problems connecting, disconnecting, and reconnecting. We do see the
> > hanging connection when we try to establish more than one connection
> > (e.g. creating the connection pool: the first connection is fine,
> > subsequent connections hang). I'm not actually developing the Java
> > side but that's what's being reported to me.
> > > At this point I don't see any bug of the nature being discussed in
> > > this thread. No hangs, anyway.
> > Earlier messages on this thread discussed both a JSSE bug
> and hanging
> > connections. I actually just heard last night from one of our Java
> > developers that the 1.4.1 SDK seems to have addressed this bug,
> > finally. We're not prepared to move to that immediately here, but
> > perhaps it bodes well for the long term.
> > The whole reason we're using SSL is to protect the password
> on simple
> > binds. We were never able to get SASL/GSSAPI working with the 1.3
> > SDK. That should be easier with 1.4 also, and we're experimenting
> > with that as well.
> > Allan