[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: Session Resumption problems with JSSE-OpenLDAP
Hi,
I have read thread about this problem in mail archive of
openldap-software. The most important was this:
<cite href="http://www.openldap.org/lists/openldap-software/200205/msg00603.html">
OpenLDAP's slapd doesn't allow resumption of sessions. slapd
abruptly closes the LDAP session when the TLS association is
terminated. This behavior is allowed per section 4 of RFC 2830.
</cite>
What does it mean ? You cannot initalize SSL connection against OpenLDAP
using Session ID no way ?
When I run:
openssl s_client -connect usermap.vc.cvut.cz:ldaps -reconnect
OpenLDAP(libssl) establishes connection and generates session-ID,
and it reconnects four times, because libssl allowes it.
I think problem is, that nobody reads from reestablished socket on server
side. If OpenLDAP does not support session resumption in any way,
why don't you call: SSL_CTX_set_session_cache_mode() ?
I have added this:
--- tls.c.orig 2002-09-03 19:42:23.000000000 +0200
+++ tls.c 2002-09-03 18:56:57.000000000 +0200
@@ -178,6 +178,7 @@
if ( tls_def_ctx == NULL ) {
int i;
tls_def_ctx = SSL_CTX_new( SSLv23_method() );
+ SSL_CTX_set_session_cache_mode(tls_def_ctx, SSL_SESS_CACHE_OFF);
if ( tls_def_ctx == NULL ) {
#ifdef NEW_LOGGING
LDAP_LOG ( TRANSPORT, ERR,
"ldap_pvt_tls_init_def_ctx: "
and since that I can connect as many times as I want from SUN JSSE to
OpenLDAP. This prevents OpenLDAP from generating Session-IDs at all.
But I don't know anything about guts of OpenLDAP, so I am afraid I made
something silly.
Could this work ?
PS: In my case(JDK 1.4.0.01) connection hangs with/without debuging JSSE.
I can post debuging output from hanged/correct run of JSSE(JLDAP) =>
OpenSSL, if anybody wants them.
Ivan Brezina