Bug#325971: slapd: sporadic errors in SSL connections ("bad record mac") fromm libnss-ldap and exim4 (gnutls11)

Daniel Hermann Wed, 31 Aug 2005 16:48:38 -0700

Package: slapd
Version: 2.2.23-8
Severity: important


Hi,

We use openldap as authentication service and user information
database, using it together with libpam-ldap/libnss-ldap and, on the
mail server, with exim4.

Now I encountered frequent sporadic SSL errors (approx. each 500th
connection with libnss-ldap) about "bad record mac" (see debug output
below). That happens when calling "id someuser" (no nscd
running). Similar errors happen sporadically for exim4 when it
extracts mail information from the LDAP server.

I checked whether the errors are reproducible with "openssl s_client"
or ldapsearch (e.g. "ldapsearch -x uid=someuser uid"), but both work
perfectly without any errors with 10000 or more connections.

Could this be a problem of clients linked against gnutls (libnss-ldap,
exim4), whereas clients linked against openssl (ldap-utils) don't have
these problems?

I'd be glad if someone could give me some hints what's going wrong
here and where (e.g. on what mailing list?) I could discuss this issue.

Thanks,

Daniel


The debug (slapd -d 1) output of such an SSL error is as follows:
...
connection_get(11): got connid=657
connection_read(11): checking for input on id=657
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(11): got connid=657
connection_read(11): checking for input on id=657
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL3 alert write:fatal:bad record mac
TLS trace: SSL_accept:error in SSLv3 read certificate verify A
TLS: can't accept.
TLS: error:1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or bad 
record mac s3_pkt.c:424
connection_read(11): TLS accept error error=-1 id=657, closing
connection_closing: readying conn=657 sd=11 for close
connection_close: conn=657 sd=11
...


A successful connection looks like this:


connection_get(11): got connid=656
connection_read(11): checking for input on id=656
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(11): got connid=656
connection_read(11): checking for input on id=656
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
connection_read(11): unable to get TLS client DN, error=49 id=656
connection_get(11): got connid=656
connection_read(11): checking for input on id=656
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
ber_get_next
do_bind
ber_get_next on fd 11 failed errno=11 (Resource temporarily unavailable)
ber_scanf fmt ({imt) ber:
ber_scanf fmt (m}) ber:
>>> dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <>
do_bind: version=3 dn="" method=128
send_ldap_result: conn=656 op=0 p=3
send_ldap_response: msgid=1 tag=97 err=0
ber_flush: 14 bytes to sd 11
do_bind: v3 anonymous bind
... (skipped further details)
connection_get(11): got connid=656
connection_read(11): checking for input on id=656
ber_get_next
ber_get_next on fd 11 failed errno=0 (Success)
connection_read(11): input error=-2 id=656, closing.
connection_closing: readying conn=656 sd=11 for close
connection_close: conn=656 sd=11
TLS trace: SSL3 alert write:warning:close notify
...

My /etc/ldap/ldap.conf contains the following:

BASE dc=mydomain,dc=de
URI ldaps://ldap.mydomain.de
TLS_REQCERT allow

My /etc/ldap/slapd.conf TLS/SSL configuration reads:

TLSCipherSuite  HIGH:MEDIUM:+SSLv2
TLSCertificateFile  /etc/ssl/certs/mycert.pem
TLSCertificateKeyFile /etc/ssl/private/mycert-key.pem


-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.4.27-ath64.ws
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages slapd depends on:
ii  coreutils [fileutils]       5.2.1-2      The GNU core utilities
ii  debconf                     1.4.30.13    Debian configuration management sy
ii  libc6                       2.3.2.ds1-22 GNU C Library: Shared libraries an
ii  libdb4.2                    4.2.52-18    Berkeley v4.2 Database Libraries [
pn  libiodbc2                                Not found.
ii  libldap-2.2-7               2.2.23-8     OpenLDAP libraries
ii  libltdl3                    1.5.6-6      A system independent dlopen wrappe
ii  libperl5.8                  5.8.4-8      Shared Perl library
ii  libsasl2                    2.1.19-1.5   Authentication abstraction library
ii  libslp1                     1.0.11a-2    OpenSLP libraries
ii  libssl0.9.7                 0.9.7e-3     SSL shared libraries
ii  libwrap0                    7.6.dbs-8    Wietse Venema's TCP wrappers libra
ii  perl [libmime-base64-perl]  5.8.4-8      Larry Wall's Practical Extraction 
ii  psmisc                      21.5-1       Utilities that use the proc filesy


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#325971: slapd: sporadic errors in SSL connections ("bad record mac") fromm libnss-ldap and exim4 (gnutls11)

Reply via email to