[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
TLS in 2.0.8 vs 2.0.7, openssl 0.9.6, HP-UX 11, gcc
There have been some changes in TLS handling between 2.0.7 and 2.0.8. I found
I had to make new certificates which had a cn of the slapd hostname in order to
satisfy the client. That wasn't too bad.
Now, I'm getting failures on TLS connect. Using -d1 on slapd, the 2.0.7 model
seems to have the same "errors" when reading the client certificate as 2.0.8,
although the verify client certificate flag is off in both cases. I put
TLSVerifyClient 0
in slapd.conf and put some printf's into openldap to assure myself that
SSL_VERIFY_PEER was not being set in (LDAP *)->verify_mode.
I found that if I try -d-1, for full debugging, it will occasionally succeed,
which is disturbing. Again, the logs below are -d1 level debugging.
It could be that these lines of difference between the two logs are the key,
but I don't know what they signify:
ber_get_next on fd 7 failed errno=246 (Operation would block)
ber_get_next on fd 7 failed errno=11 (Resource temporarily unavailable)
Is there an openldap or openssl guru out there who can give me a clue about
what I am doing wrong?
@(#) $OpenLDAP: slapd 2.0.7-Release (Tue Apr 17 10:35:02 EDT 2001) $
aej@hp3com2:/tools/utilities/openldap/openldap-2.0.7/servers/slapd
daemon_init: listen on ldap:///
daemon_init: 1 listeners to open...
ldap_url_parse(ldap:///)
daemon: initialized ldap:///
daemon_init: 1 listeners opened
slapd init: initiated server.
slapd startup: initiated.
slapd starting
connection_get(7): got connid=0
connection_read(7): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 29 contents:
do_extended
ber_scanf fmt ({a) ber:
send_ldap_extended 0: (0)
send_ldap_response: msgid=1 tag=120 err=0
ber_flush: 14 bytes to sd 7
ber_get_next
ber_get_next on fd 7 failed errno=246 (Operation would block)
connection_get(7): got connid=0
connection_read(7): checking for input on id=0
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(7): got connid=0
connection_read(7): checking for input on id=0
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
connection_get(7): got connid=0
connection_read(7): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 58 contents:
do_bind
i.e. it worked. Trying 2.0.8,
@(#) $OpenLDAP: slapd 2.0.8-Release (Thu May 17 15:08:16 EDT 2001) $
aej@hp3com2:/tools/utilities/openldap/openldap-2.0.8/servers/slapd
daemon_init: listen on ldap:///
daemon_init: 1 listeners to open...
ldap_url_parse_ext(ldap:///)
daemon: initialized ldap:///
daemon_init: 1 listeners opened
slapd init: initiated server.
slapd startup: initiated.
slapd starting
connection_get(7): got connid=0
connection_read(7): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 29 contents:
do_extended
ber_scanf fmt ({a) ber:
send_ldap_extended 0: (0)
send_ldap_response: msgid=1 tag=120 err=0
ber_flush: 14 bytes to sd 7
ber_get_next
ber_get_next on fd 7 failed errno=11 (Resource temporarily unavailable)
connection_get(7): got connid=0
connection_read(7): checking for input on id=0
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS: can't accept.
connection_read(7): TLS accept error error=-1 id=0, closing
connection_closing: readying conn=0 sd=7 for close
connection_close: conn=0 sd=7
i.e. it failed.
------- end of forwarded message -------