[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SSL strangeness



Quanah Gibson-Mount wrote:
--On Thursday, October 29, 2009 2:56 PM +0100 Victor Mataré <matare@lih.rwth-aachen.de> wrote:


Hope that someone can make sense of this. Just to be clear: ldapsearch
behaves the same way as described above for openssl s_client.

Thank you very much for even reading so far.

If slapd is the one failing to send data, why don't you turn up the debugging level on the slapd side and see what it thinks is happening? I.e., start slapd by hand with something like -d 2 or -d -1 and see what it reports at the time at which the connection hangs.

--Quanah

Ok, when I start slapd with -d 9, I see this:

>>> slap_listener(ldap://)
connection_get(15): got connid=1
connection_read(15): checking for input on id=1
ber_get_next
ber_get_next: tag 0x30 len 29 contents:
ber_get_next
do_extended
ber_scanf fmt ({m) ber:
send_ldap_extended: err=0 oid= len=0
send_ldap_response: msgid=1 tag=120 err=0
ber_flush: 14 bytes to sd 15
connection_get(15): got connid=1
connection_read(15): checking for input on id=1
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:error in SSLv3 write certificate request B
TLS trace: SSL_accept:error in SSLv3 write certificate request B

(Strg-C on the client)

connection_get(15): got connid=1
connection_read(15): checking for input on id=1
TLS trace: SSL_accept:SSLv3 write certificate request B
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:failed in SSLv3 read client certificate A
TLS: can't accept.
connection_read(15): TLS accept failure error=-1 id=1, closing
connection_closing: readying conn=1 sd=15 for close
connection_close: conn=1 sd=15

However it looks like it might be a client issue after all, because I found out some clients can actually talk to the server through ldaps:// or STARTTLS, while others fail with "Can't contact ldap server". This is some weird breakage. Don't bother too much with this, I think I have to do some more experimentation. But thanks to all for the quick responses so far.