[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Session Resumption problems with JSSE-OpenLDAP




Hi,
I have read thread about this problem in mail archive of 
openldap-software. The most important was this:
<cite href="http://www.openldap.org/lists/openldap-software/200205/msg00603.html";>
OpenLDAP's slapd doesn't allow resumption of sessions.  slapd
abruptly closes the LDAP session when the TLS association is
terminated.  This behavior is allowed per section 4 of RFC 2830.
</cite>


What does it mean ? You cannot initalize SSL connection against OpenLDAP 
using Session ID no way ?

When I run:
openssl s_client -connect usermap.vc.cvut.cz:ldaps -reconnect
OpenLDAP(libssl) establishes connection and generates session-ID, 
and it reconnects four times, because libssl allowes it.

I think problem is, that nobody reads from reestablished socket on server 
side. If OpenLDAP does not support session resumption in any way,
why don't you call: SSL_CTX_set_session_cache_mode() ?

I have added this:
--- tls.c.orig  2002-09-03 19:42:23.000000000 +0200
+++ tls.c       2002-09-03 18:56:57.000000000 +0200
@@ -178,6 +178,7 @@
        if ( tls_def_ctx == NULL ) {
                int i;
                tls_def_ctx = SSL_CTX_new( SSLv23_method() );
+               SSL_CTX_set_session_cache_mode(tls_def_ctx, SSL_SESS_CACHE_OFF);
                if ( tls_def_ctx == NULL ) {
 #ifdef NEW_LOGGING
                        LDAP_LOG ( TRANSPORT, ERR, 
"ldap_pvt_tls_init_def_ctx: "

and since that I can connect as many times as I want from SUN JSSE to 
OpenLDAP. This prevents OpenLDAP from generating Session-IDs at all.
But I don't know anything about guts of OpenLDAP, so I am afraid I made 
something silly.

Could this work ?

PS: In my case(JDK 1.4.0.01) connection hangs with/without debuging JSSE.
I can post debuging output from hanged/correct run of JSSE(JLDAP) => 
OpenSSL, if anybody wants them.


Ivan Brezina