[Date Prev][Date Next] [Chronological] [Thread] [Top]

Problems when closing LDAPS sessions ?



Hi.

I use a slapd server (OpenLDAP 2.1.30 on FreeBSD 4.10), and OpenLDAP
clients (same version, same OS) to make LDAPS access to this server.

Everything works fine, but if I have many requests at the same time
(by "request", I mean "connect, request, disconnect"), some of them
will timeout, without apparent reasons.

After some investigations, I found what seems to be a problem when
closing TLS sessions.

Here is a dump of one connection (ethereal output):


 1 0.000000   Client  Server TCP   12085 > ldaps [SYN] Seq=255346966 Ack=0 Win=57344 Len=0
 2 0.000045   Server  Client TCP   ldaps > 12085 [SYN, ACK] Seq=4179512178 Ack=255346967 Win=57344 Len=0
 3 0.000236   Client  Server TCP   12085 > ldaps [ACK] Seq=255346967 Ack=4179512179 Win=57408 Len=0
 4 0.000936   Client  Server SSLv2 Client Hello
 5 0.002033   Server  Client TLS   Server Hello, Certificate, Server Hello Done
 6 0.004940   Client  Server TLS   Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
 7 0.017231   Server  Client TLS   Change Cipher Spec, Encrypted Handshake Message

 8 0.017888   Client  Server TLS   Application Data, Application Data
[Some more application data and ACKs between client and server]

21 0.021257   Client  Server TLS   Encrypted Alert
Here, client sends a SSL_shutdown.

22 0.021275   Server  Client TCP   ldaps > 12085 [ACK] Seq=4179515399 Ack=255347678 Win=57339 Len=0
Server sends it's TCP ACK for the shutdown packet.

23 0.021302   Client  Server TCP   12085 > ldaps [FIN, ACK] Seq=255347678 Ack=4179515399 Win=57408 Len=0
Client closes it's TCP connection.

24 0.021320   Server  Client TCP   ldaps > 12085 [ACK] Seq=4179515399 Ack=255347679 Win=57371 Len=0
Server's ACK.

25 0.021602   Server  Client TLS   Encrypted Alert
Server wants to send it's SSL_shutdown

26 0.021621   Server  Client TCP   ldaps > 12085 [FIN, ACK] Seq=4179515436 Ack=255347679 Win=57408 Len=0
Server's TCP FIN.

27 1.216566   Server  Client TLS   Encrypted Alert
28 3.417394   Server  Client TLS   Encrypted Alert
29 7.618977   Server  Client TLS   Encrypted Alert
30 15.822066  Server  Client TLS   Encrypted Alert
31 20.793937  Server  Client TLS   Encrypted Alert
32 32.028167  Server  Client TLS   Encrypted Alert
33 36.379810  Server  Client TLS   Encrypted Alert

Now here is the problem:

Client -> server side of the TCP session is already closed when the
server wants to send it's SSL_shutdown, so this SSL_shutdown will
*never* be ACKed !

And server's TCP/IP stack will resend this packet.

And if I do a netstat -an on server side, I'll have that:

tcp4 0  37  Server.636 Client.ephemeral LAST_ACK
(and one similary line for each connection).

And sometime, it looks like slapd goes in some kind of "big timeout"
and tries to clean all it's LAST_ACK connections.

I think there is at least one problem with the TCP/IP stack, which
should detect it cannot receive this ACK (but I may be wrong).

But for what I know about SSL (I am *NOT* an SSL/TLS expert !!), there
also seems to be a problem with SSL_shutdown.


Can an SSL expert confirm this problem ?

Is there an option to reduce/resolve this problem ?



Thanks.

Yvan.

Attachment: smime.p7s
Description: S/MIME cryptographic signature