Bug#325971: slapd: sporadic errors in SSL connections (reproducible)

Sat, 03 Sep 2005 18:08:33 -0700 

Hi again,

I have found a way to reproduce this bug relatively easily using
gnutls-cli (all packages from sarge):

1) $ apt-get install slapd gnutls-bin
    ... set up a simple empty ldap directory (dc=mydomain,dc=de) ...
2) $ openssl req -newkey rsa:1024 -keyout /etc/ssl/private/mycert-key.pem \
     -out /etc/ssl/certs/mycert.pem -nodes -x509 -days 365
    ...
3) /etc/ldap/slapd.conf:
    ...
    TLSCipherSuite  HIGH:MEDIUM:+SSLv2
    TLSCertificateFile      /etc/ssl/certs/mycert.pem
    TLSCertificateKeyFile   /etc/ssl/private/mycert-key.pem
    ...
4) /etc/default/slapd
    ...
    SLAPD_SERVICES="ldaps:///"
    ...
5) $ /etc/init.d/slapd restart

6) $ cat > /etc/ldap/ldap.conf
     BASE    dc=mydomain,dc=de
     URI     ldaps://ldap.mydomain.de
     TLS_REQCERT     allow
     ^D

7) $ cat > /tmp/gnutls-test
     #!/bin/sh
     gnutls-cli ldap.mydomain.de -p 636 < /dev/null > /tmp/gnutls$1 &
     ^D

8) $ for i in $( seq 1 1000 ); do
       echo -n $i
       /tmp/gnutls-test $i
       sleep 1
       killall gnutls-cli
     done


This produces sporadic errors of the form:

...
504Connecting to '172.22.169.186:636'...
505Connecting to '172.22.169.186:636'...
*** Fatal error: A TLS fatal alert has been received.
*** Handshake has failed
GNUTLS ERROR: A TLS fatal alert has been received.
gnutls-cli: no process killed
506Connecting to '172.22.169.186:636'...
...

The file /tmp/gnutls505 then contains:
  Resolving 'ldap.mydomain.de'...
  *** Received alert [20]: Bad record MAC


All this seems to be independent of whether the gnutls client runs on
the same machine as the ldap server or not.

As mentioned in the previous mail, I don't get similar errors when using
openssl s_client. Therefore I cc this mail to Matthias Urlichs (gnutls
maintainer).


regards

        Daniel

-- 
-----------------------------------------------------------------
Daniel Hermann,   Institut fuer Theorie der Kondensierten Materie
Universitaet Karlsruhe                  Tel: ++49 (0)721 608-3588
Postfach 6980                           Fax: ++49 (0)721 608-7779
76128 Karlsruhe, Germany      email: [EMAIL PROTECTED]
-----------------------------------------------------------------


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to