20463: SSL3[808304]: received alert, level=2, description=42
I looked at the Mozilla source and this corresponds to a bad certificate. I then used PR_GetError to look at the underlying NSS/NSPR error and saw the following during failed sasl binds:
Error -12271: SSL Peer cannot verify your certificate
So I went one step further and instead of using my own test driver, I used the ldapsearch tool that ships with directory server. I ran this simultaneously as two different users and two different hosts, and the exact same problem happened: every few attempts I would see the error "ldap_sasl_bind: -12271 ..." and the search would fail. I did this several times, and there's no pattern as to when/how frequently it occurs, or to which user (it happens to both). The command I was using was:
ldapsearch -b "ou=people,..." -Z -P ~/cert7.db -N "${USER}_cert" -K ~/.key3.db -h dnfs802 -p 636 -W - uid="${USER}"
The ldapsearch tool that ships with DSRK 5.2.1 is built on the same Mozilla libs I'm using (I also have NSS 3.7.3 and NSPR 4.2.2 and they don't remedy the problem). The fact that the ldapsearch is seeing the same exact problem as my own code leads me to believe the problem is in the Mozilla code, but at the same time, there's tons of people using that code and I'm guessing a lot of people would have mentioned this if it were a problem. Has anyone else seen this?
Thanks, Mike
On 3/12/06, Anton Bobrov <[EMAIL PROTECTED]> wrote:
> binds). Looking at Sun's website, it says error code B1 means the BER
> request was either corrupt or too long. Has anyone seen this before or
> know why the request would be corrupt? It seems weird since some of the
> binds go through, and it's only when multiple users start running that
> it prints this B1 error code.
i seriously doubt you are running into maxbersize issue, its 2Mb by
default tho you can crank it up a wee bit more and see if it makes
any diff in yr case or not. see
http://docs.sun.com/source/817-7616/config.html
---> nsslapd-maxbersize (Maximum Message Size)
> I've posted this to Sun's tech support forum and been in contact with
> their tech support (since I originally suspected a server problem), but
> now I'm thinking the BER encoding for the SASL bind is not correct.
we did fix quite a few sasl related bugs. if you can provide any
testcases that would be great. if not you can try figuring out
the shortest path to reproduce it on yr test system and capture
debug output i can later have a look at for you. to do that you
gonna need debug binaries and a quick code injection on yr part,
see
http://lxr.mozilla.org/mozilla/source/directory/c-sdk/ldap/clients/tools/common.c#386
to enable ldap and lber debug output. setting to something like
99 should do the trick. beware, its gonna spit loads of output
so make sure you have a short path to reproduce. that output
combined with DS logs for the same time frame would help to get
further with this. again if you are Sun DS customer i would
recommend having a support case going in parallel so we
can get server folks involved as well.
_______________________________________________ dev-tech-ldap mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-ldap
