Re: "error in SSLv3 flush data" when connecting from network

[Quanah Gibson-Mount <quanah@stanford.edu>]

--On Monday, February 26, 2007 3:59 PM +0200 Antonis Christofides 
<anthony@itia.ntua.gr> wrote:

> Hi,
>
> Summary:
>
> A tls connection between a client and a 2.3.30 slapd hangs while the
> server is giving the certificate; but this does not happen if the
> server is run with -d 2 or higher, or if the client is the server
> itself.
>
> Details:
>
> (A seemingly similar issue has been reported before, without
> satisfactory reply, 4 years ago:
> http://www.openldap.org/lists/openldap-software/200210/msg00459.html)
>
> My slapd is the Debian-etch-packaged 2.3.30.

Problems with SSL on Debian are well known, and it is due to the fact that 
they long ago patched OpenLDAP 2.1 to compile against GnuTLS (note, I don't 
say *work*, just compile).

When you use their 2.2 and 2.3 packages, and their libraries get loaded 
into the same user space as the 2.1 libraries (which are always installed), 
then SSL/TLS stop working.  There is *nothing* the OpenLDAP folks can do 
about this.

My only advice to you is to not use the Debian packages.  Build OpenLDAP 
yourself, or get a prebuilt distribution like Symas' CDS that installs into 
a completely separate location so that it is not polluted by the Debian 
packages.

In the meantime, Stanford U. & The Written Word have hired Symas 
corporation to create true integration between GnuTLS and OpenLDAP.  It is 
anticipated that will be part of the OpenLDAP 2.4 release.  Too late for 
Debian's etch release, but I assume this problem will finally go away for 
Debian in the release after that.

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html