Executive summary:
I'm having a problem where two RHL7.2 LDAP clients out of many don't authenticate against an OpenLDAP server. They are using starttls to connect to the server. The chain is sshd -> pam_ldap -> openldap -> OpenSSL. In openldap-2.0.21/libraries/libldap/tls.c line ~625 err = SSL_connect( ssl ); If the failing client is "slightly bogged down by ltracing the sshd process", then err == 1 (sucess), otherwise err == 0 (failure), checking SSL_get_error I get SSL_ERROR_SYSCALL. The man page says: SSL_ERROR_SYSCALL Some I/O error occurred. The OpenSSL error queue may contain more information on the error. If the error queue is empty (i.e. ERR_get_error() returns 0), ret can be used to find out more about the error: If ret == 0, an EOF was observed that violates the protocol. The box is SMP dual Pentium III box, running Red Hat Linux 7.2 fully updated with all official errata, plus the latest pam/nss_ldap, OpenLDAP 2.0.21, OpenSSL 0.9.6b. I also tried 0.9.6c rebuilding the src.rpm from Red Hat Rawhide. I'm also having, what appears to be, the same problem on another box, which is single cpu AMD 1700+. The Red Hat OpenSSL 0.9.6b RPM was configured/built with: ./config no-asm 386 no-idea no-mdc2 no-rc5 shared According to the OpenLDAP developers, "libldap's use of TLS is very simpleand there are no synchronization issues there." Details: pam_ldap.so calls ldap_start_tls_s. I tracked that down to: openldap-2.0.21/libraries/libldap/tls.c Eventually the ldap_int_tls_connect function is called. The important lines from this function are the OpenSSL functions: ssl = alloc_handle( ctx ); (creates ssl handle) err = SSL_connect( ssl ); Then the existing code does: if ( err <= 0 ) { blah I've modified it by adding this code right above it: if ( err == 0 ) { syslog (LOG_ERR, "SSL_connect returned 0\n"); switch(SSL_get_error(ssl, err)) { case SSL_ERROR_NONE: syslog (LOG_ERR, "SSL_ERROR_NONE\n"); break; case SSL_ERROR_ZERO_RETURN: syslog (LOG_ERR, "SSL_ERROR_ZERO_RETURN\n"); break; case SSL_ERROR_WANT_READ: syslog (LOG_ERR, "SSL_ERROR_WANT_READ\n"); break; case SSL_ERROR_WANT_WRITE: syslog (LOG_ERR, "SSL_ERROR_WANT_WRITE\n"); break; case SSL_ERROR_WANT_CONNECT: syslog (LOG_ERR, "SSL_ERROR_WANT_CONNECT\n"); break; case SSL_ERROR_WANT_X509_LOOKUP: syslog (LOG_ERR, "SSL_ERROR_WANT_X509_LOOKUP\n"); break; case SSL_ERROR_SYSCALL: syslog (LOG_ERR, "SSL_ERROR_SYSCALL\n"); break; case SSL_ERROR_SSL: syslog (LOG_ERR, "SSL_ERROR_SSL\n"); break; default: syslog (LOG_ERR, "Error in reading SSL handle\n"); } } SSH attempt (sucessful BTW) into the machine slightly bogged down: Feb 7 02:04:33 mooru sshd[17186]: SSL_connect returned 1 SSH attempt into the machine not bogged down: Feb 7 02:12:18 mooru sshd[19396]: SSL_connect returned 0 Feb 7 02:12:18 mooru sshd[19396]: SSL_ERROR_SYSCALL Feb 7 02:12:18 mooru sshd[19396]: TLS: can't connect. (other debug I added) Feb 7 02:12:18 mooru sshd[19396]: pam_ldap: ldap_starttls_s: Connect error At this point, I am at a loss how to further debug/diagnosis it. I'm more than happy to test out patches though. Dax Kelson ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]