[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Strange TLS issue while upgrading from openldap 2.3 to 2.4
- To: openldap-technical@openldap.org
- Subject: Strange TLS issue while upgrading from openldap 2.3 to 2.4
- From: Guillaume Rousse <guillomovitch@gmail.com>
- Date: Mon, 25 Jun 2012 13:46:36 +0200
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; bh=NV8Vb7s+Kn0YLaPPbObcxdGj8Lss3Nn+pF6FmDI+3pI=; b=AFO8slqSZ13WB9SybfM3R1QvHGFTm5O+DZGESD7Dqop73JBALI20w6rGlPBKwElYpM 1EDE4oRL1juRJzr1K7xr8kcQq9wFOyLgygS5OPJ65k+UJzXqEG2JygAIs07QfhU5MTEl n2m0FQ+TkUb/GthkeewDHrwhUS/4LCSNebULDw1qfFUACygWYg5mOXibWTB1wTXAmsno uOLVyoz6GAW9SnM3tfBP2Tb8JJO0Vxq4/u4kuV8Soyu0ss7seqNKkrUNfAw6srVTLS6+ J86tEi4gB8EBJ6iIEFVQn9RVmGlRQhI7kqVDM2IQ3LqqLoA2o7HxIKYq2tlF37cPC1/9 sEUQ==
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:13.0) Gecko/20120616 Thunderbird/13.0.1
Hello list.
I recently faced a strange issue while upgrading from openldap 2.3 to
2.4 (from centos 5.7 to 6.2, actually): the change was transparent for
every applications excepted Zimbra, for which any authentication attempt
was suffering from an unexplained 30s additional delay. Just switching
from explicit TLS usage on port 389 to explicit SSL usage on port 636
was enough to fix the issue.
The logs shows than the delay occurs between the moment where the bind
operation succeed, and the moment the client connection get closed:
Jun 14 11:56:04 ildapslave2 slapd[16618]: conn=2787 fd=135 ACCEPT from
IP=128.93.142.13:41191 (IP=0.0.0.0:389)
Jun 14 11:56:04 ildapslave2 slapd[16618]: conn=2787 op=0 EXT
oid=1.3.6.1.4.1.1466.20037
Jun 14 11:56:04 ildapslave2 slapd[16618]: conn=2787 op=0 STARTTLS
Jun 14 11:56:04 ildapslave2 slapd[16618]: conn=2787 op=0 RESULT oid=
err=0 text=
Jun 14 11:56:04 ildapslave2 slapd[16618]: conn=2787 fd=135 TLS
established tls_ssf=256 ssf=256
Jun 14 11:56:04 ildapslave2 slapd[16618]: conn=2787 op=1 BIND
dn="uid=fauge00C,ou=people,dc=inria,dc=fr" method=128
Jun 14 11:56:04 ildapslave2 slapd[16618]: conn=2787 op=1 BIND
dn="uid=fauge00C,ou=people,dc=inria,dc=fr" mech=SIMPLE ssf=0
Jun 14 11:56:04 ildapslave2 slapd[16618]: conn=2787 op=1 RESULT tag=97
err=0 text=
...
Jun 14 11:56:34 ildapslave2 slapd[16618]: conn=2787 fd=135 closed
(connection lost)
Before the upgrade, the connection get closed immediatly, and there is
no such delay.
Using higher logging level doesn't provide additional useful details,
excepted maybe more details about connection termination:
Jun 14 12:53:21 ildapslave2 slapd[7156]: connection_read(109): checking
for input on id=1135
Jun 14 12:53:21 ildapslave2 slapd[7156]: ber_get_next on fd 109 failed
errno=0 (Success)
Jun 14 12:53:21 ildapslave2 slapd[7156]: connection_read(109): input
error=-2 id=1135, closing.
I'm aware than this behaviour change may actually come from underlying
libraries, such as bdb for instance, rather than openldap itself, but
that's still quite a curious issue. Does anyone have a clue about this
problem ?
--
The more cordial the buyer's secretary, the greater the odds that the
competition already has the order
-- Murphy's Laws on Technology n°38