[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Ambiguous SSL/TLS error messages from slapd



Steve, I agree:


  This error gets printed with "-1" under too many
  conditions.  Just look at:
     libraries/libldap/tls2.c::ldap_pvt_tls_set_option()

  RC Return Code -1 could happen in about a dozen places.

  I think we need to take a two step approach to fixing this:

  1) Long term, implement OpenSSL's err(3)
  2) Short term, in servers/slapd/main.c:

   Debug( LDAP_DEBUG_ANY,
     "main: TLS init def ctx failed: %d\n",
        rc, 0, 0 );

  We should change / append to this to clarify:

    if (rc < 0)
	Debug( LDAP_DEBUG_ANY, "main: something has gone terribly
          wrong in creation of the SSL data structure.  Check
          filesystem permissions, ownership bits, ACLs, configuration
          file paths.  Resort to strace(1)/ktrace(1)
           debugging.\n",rc,0,0);

   if (rc > 0)
	Debug( LDAP_DEBUG_ANY, "main: something has gone wrong
          in creation of the SSL socket data structure.  Please
          check the OpenSSL error code above against:
          /usr/include/openssl/ssl until we err(3) support\n",rc,0,0);

I will submit a patch.

  ~BAS