[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Ambiguous SSL/TLS error messages from slapd



Brian A. Seklecki (CFI NOC) wrote:
Steve, I agree:


    This error gets printed with "-1" under too many
    conditions.  Just look at:
       libraries/libldap/tls2.c::ldap_pvt_tls_set_option()

    RC Return Code -1 could happen in about a dozen places.

    I think we need to take a two step approach to fixing this:

    1) Long term, implement OpenSSL's err(3)

What are you talking about? tlso_report_error() already prints the OpenSSL error messages. All OpenSSL error messages have been fully logged, for years.

    2) Short term, in servers/slapd/main.c:

     Debug( LDAP_DEBUG_ANY,
       "main: TLS init def ctx failed: %d\n",
          rc, 0, 0 );

    We should change / append to this to clarify:

      if (rc<  0)
	Debug( LDAP_DEBUG_ANY, "main: something has gone terribly
            wrong in creation of the SSL data structure.  Check
            filesystem permissions, ownership bits, ACLs, configuration
            file paths.  Resort to strace(1)/ktrace(1)
             debugging.\n",rc,0,0);

     if (rc>  0)
	Debug( LDAP_DEBUG_ANY, "main: something has gone wrong
            in creation of the SSL socket data structure.  Please
            check the OpenSSL error code above against:
            /usr/include/openssl/ssl until we err(3) support\n",rc,0,0);

Pointless, since all failures inside init_ctx already call tlso_report_error().

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/