[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Ambiguous SSL/TLS error messages from slapd
- To: openldap-software@openldap.org, spolyack@comcast.net
- Subject: Re: Ambiguous SSL/TLS error messages from slapd
- From: "Brian A. Seklecki (CFI NOC)" <seklecki@noc.cfi.pgh.pa.us>
- Date: Thu, 18 Feb 2010 18:15:33 -0500
- Dkim-signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=noc.cfi.pgh.pa.us; s=noc_cfi_pgh_pa_us_key_dkim; l=1029; t=1266536202; i=@noc.cfi.pgh.pa.us; h=Message-ID:Date:From: Reply-To:Organization:User-Agent:MIME-Version:To:Subject: Content-Type:Content-Transfer-Encoding; bh=2k/1pDiQiig0dk12IJ3I+ NxCObw=; b=rfOwAP7miMfn0PQOpuafikqdHADf+frfHvi6uNIBU14DO5mBL4TS1 5x9OfmsTY8ITe2Z096ce4UUqiCXiat8Z4GzX7+Nb4p+KfE+7q4qDpl8p0hPgAeGx XestEefzpYc
- Organization: Collaborative Fusion, Inc. (DRP NOC)
- User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.7) Gecko/20100111 Thunderbird/3.0.1
Steve, I agree:
This error gets printed with "-1" under too many
conditions. Just look at:
libraries/libldap/tls2.c::ldap_pvt_tls_set_option()
RC Return Code -1 could happen in about a dozen places.
I think we need to take a two step approach to fixing this:
1) Long term, implement OpenSSL's err(3)
2) Short term, in servers/slapd/main.c:
Debug( LDAP_DEBUG_ANY,
"main: TLS init def ctx failed: %d\n",
rc, 0, 0 );
We should change / append to this to clarify:
if (rc < 0)
Debug( LDAP_DEBUG_ANY, "main: something has gone terribly
wrong in creation of the SSL data structure. Check
filesystem permissions, ownership bits, ACLs, configuration
file paths. Resort to strace(1)/ktrace(1)
debugging.\n",rc,0,0);
if (rc > 0)
Debug( LDAP_DEBUG_ANY, "main: something has gone wrong
in creation of the SSL socket data structure. Please
check the OpenSSL error code above against:
/usr/include/openssl/ssl until we err(3) support\n",rc,0,0);
I will submit a patch.
~BAS