[Pkg-openldap-devel] Bug#457182: slapd: TLS connections failed after a while
Denis Sacchet
spam at ouba.org
Thu Dec 20 10:54:47 UTC 2007
Package: slapd
Version: 2.3.30-5
Severity: grave
Justification: renders package unusable
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Denis Sacchet <spam at ouba.org>
To: Debian Bug Tracking System <submit at bugs.debian.org>
Subject: slapd: TLS connections failed after a while
Message-ID: <20071220103033.11579.59677.reportbug at smtp.evidenceci.com>
X-Mailer: reportbug 3.31
Date: Thu, 20 Dec 2007 11:30:33 +0100
Package: slapd
Version: 2.3.30-5
Severity: grave
Justification: renders package unusable
I use openldap as a centralized authentification storage, used by
several services :
- apache httpd
- pam_ldap (then used by sshd)
- nss_ldap
- cyrus sasl through saslauthd (then used by postfix and cyrus imapd)
- egroupware
As the server is open on the internet, I refuse unencrypted connections
to LDAP server by forcing TLS encryption (so through port 389).
I use certificate generated by a local CA (so it is not a self signed
certificate, but a certificated signed by a personnal CA).
Everything works perfectly for 1 days, sometimes longer, and suddenly,
we cannot connect anymore to the LDAP server, a trace gave the following
information :
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server certificate request A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client certificate A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL3 alert read:fatal:handshake failure
TLS trace: SSL_connect:failed in SSLv3 read finished A
TLS: can't connect.
ldap_perror
ldap_start_tls: Connect error (-11)
additional info: error:14094410:SSL
routines:SSL3_READ_BYTES:sslv3 alert handshake failure
I speak a while on the openldap mailling list, after several exchanges,
it seems there is a conflict between slapd, libldap-2.3-0 and libldap2.
Indeed, libldap2 is linked againt GNUTLS, while slapd, libldap-2.3-0 are
linked againt OpenSSL ... The answer of the OpenLDAP developers is "It
will be fixed with openldap 2.4.x developed for GNUTLS, and when
Debian's developers will integrate this version".
(if you want to take a look at the discussion on the mailing list, you
can search for subject : "Strange TLS behaviour with slapd 2.3.30 on
Debian Etch" on the openldap-software at openldap.org mailing list)
During this time, everyday, I need to restart all the services (I don't
know why, crontab doesn't work also when the problems occurs, perhaps a
link with pam/nss), and all the services are no longer available until
that ...
I can provide trace, log, etc ... as requested, I have a lot of
information about the problem, and the problem is reproducible.
Thanks in advance for your attention
Best regards
Denis Sacchet
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.21.1dedibox-r7
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Versions of packages slapd depends on:
ii adduser 3.102 Add and remove users and groups
ii coreutils 5.97-5.3 The GNU core utilities
ii debconf [debconf-2.0] 1.5.11 Debian configuration management sy
ii libc6 2.3.6.ds1-13etch2 GNU C Library: Shared libraries
ii libdb4.2 4.2.52+dfsg-2 Berkeley v4.2 Database Libraries [
ii libiodbc2 3.52.4-5 iODBC Driver Manager
ii libldap-2.3-0 2.3.30-5 OpenLDAP libraries
ii libltdl3 1.5.22-4 A system independent dlopen wrappe
ii libperl5.8 5.8.8-7etch1 Shared Perl library
ii libsasl2-2 2.1.22.dfsg1-8 Authentication abstraction library
ii libslp1 1.2.1-6.2 OpenSLP libraries
ii libssl0.9.8 0.9.8c-4etch1 SSL shared libraries
ii libwrap0 7.6.dbs-13 Wietse Venema's TCP wrappers libra
ii perl [libmime-base64-p 5.8.8-7etch1 Larry Wall's Practical Extraction
ii psmisc 22.3-1 Utilities that use the proc filesy
Versions of packages slapd recommends:
ii libsasl2-modules 2.1.22.dfsg1-8 Pluggable Authentication Modules f
-- debconf information:
slapd/password_mismatch:
slapd/fix_directory: true
slapd/invalid_config: true
shared/organization: nodomain
slapd/upgrade_slapcat_failure:
slapd/upgrade_slapadd_failure:
slapd/backend: BDB
slapd/dump_database: when needed
slapd/allow_ldap_v2: false
slapd/no_configuration: false
slapd/migrate_ldbm_to_bdb: true
slapd/move_old_database: true
slapd/suffix_change: false
slapd/slave_databases_require_updateref:
slapd/dump_database_destdir: /var/backups/slapd-VERSION
slapd/autoconf_modules: true
slapd/purge_database: false
slapd/domain: nodomain
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.21.1dedibox-r7
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Versions of packages slapd depends on:
ii adduser 3.102 Add and remove users and groups
ii coreutils 5.97-5.3 The GNU core utilities
ii debconf [debconf-2.0] 1.5.11 Debian configuration management sy
ii libc6 2.3.6.ds1-13etch2 GNU C Library: Shared libraries
ii libdb4.2 4.2.52+dfsg-2 Berkeley v4.2 Database Libraries [
ii libiodbc2 3.52.4-5 iODBC Driver Manager
ii libldap-2.3-0 2.3.30-5 OpenLDAP libraries
ii libltdl3 1.5.22-4 A system independent dlopen wrappe
ii libperl5.8 5.8.8-7etch1 Shared Perl library
ii libsasl2-2 2.1.22.dfsg1-8 Authentication abstraction library
ii libslp1 1.2.1-6.2 OpenSLP libraries
ii libssl0.9.8 0.9.8c-4etch1 SSL shared libraries
ii libwrap0 7.6.dbs-13 Wietse Venema's TCP wrappers libra
ii perl [libmime-base64-p 5.8.8-7etch1 Larry Wall's Practical Extraction
ii psmisc 22.3-1 Utilities that use the proc filesy
Versions of packages slapd recommends:
ii libsasl2-modules 2.1.22.dfsg1-8 Pluggable Authentication Modules f
-- debconf information excluded
More information about the Pkg-openldap-devel
mailing list