[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: "error in SSLv3 flush data" when connecting from network

--On Monday, February 26, 2007 3:59 PM +0200 Antonis Christofides <anthony@itia.ntua.gr> wrote:



A tls connection between a client and a 2.3.30 slapd hangs while the
server is giving the certificate; but this does not happen if the
server is run with -d 2 or higher, or if the client is the server


(A seemingly similar issue has been reported before, without
satisfactory reply, 4 years ago:

My slapd is the Debian-etch-packaged 2.3.30.

Problems with SSL on Debian are well known, and it is due to the fact that they long ago patched OpenLDAP 2.1 to compile against GnuTLS (note, I don't say *work*, just compile).

When you use their 2.2 and 2.3 packages, and their libraries get loaded into the same user space as the 2.1 libraries (which are always installed), then SSL/TLS stop working. There is *nothing* the OpenLDAP folks can do about this.

My only advice to you is to not use the Debian packages. Build OpenLDAP yourself, or get a prebuilt distribution like Symas' CDS that installs into a completely separate location so that it is not polluted by the Debian packages.

In the meantime, Stanford U. & The Written Word have hired Symas corporation to create true integration between GnuTLS and OpenLDAP. It is anticipated that will be part of the OpenLDAP 2.4 release. Too late for Debian's etch release, but I assume this problem will finally go away for Debian in the release after that.


Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html