On Fri, 8 Feb 2002, Lutz Jaenicke wrote:
> On Fri, Feb 08, 2002 at 01:53:11AM -0700, Dax Kelson wrote:
> >
> > sshd/ftpd/telnetd -> pam_ldap -> libldap -> libssl/libcrypto
> >
> > To recap, when my dual processor Pentium III is idle, I *always* get a
> > return value of 0 from SSL_connect. If I bog down the box, I get "1" and
> > everything works (login sucessful).
> >
> > I added a check for SSL_get_error, and I get SSL_ERROR_SYSCALL.
> >
> > I check the error queue with ERR_get_error()
> >
> > My luck, I get 0 back from ERR_get_error().
> >
> > The man page says, if ERR_get_error returns 0, "an EOF was observed that
> > violates the protocol".
> >
> > <sigh>
> >
> > I just want my LDAP authentication to work on these two machines out of
> > about a dozen where it works fine. The machines that work are "slower"
> > 500Mhz boxes, and the failure on a dual P3, and a single CPU AMD 1700+.
> >
> > pam_ldap is using libldap (further using OpenSSL) to do a starttls
> > connection against a remote OpenLDAP server.
> >
> > I'm just banging my head against the keyboard here.
>
> Start by using ssldump (http://www.rtfm.com/ssldump). We really need to
> see what is going over the wire... (an EOF... would mean that it is the
> peer closing the connection... is this really true?).
>
> Best regards,
> Lutz
Ok, 2 months later here is the output from ssldump running on the LDAP
server:
The first TCP conn happens after I supply my username (nss_ldap).
The second TCP connection happens after I supply my password (pam_ldap).
10.1.0.57 is the client, 10.1.0.3 is the server
# ssldump -n host 10.1.0.57 and port 389
New TCP connection #1: 10.1.0.57(33046) <-> 10.1.0.3(389)
1 1 0.0109 (0.0109) C>S SSLv2 compatible client hello
Version 3.1
cipher suites
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
SSL2_CK_3DES
TLS_DHE_DSS_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5
SSL2_CK_RC2
SSL2_CK_RC4
SSL2_CK_RC464
TLS_DHE_DSS_WITH_RC2_56_CBC_SHA
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5
TLS_RSA_EXPORT1024_WITH_RC4_56_MD5
TLS_DHE_RSA_WITH_DES_CBC_SHA
TLS_DHE_DSS_WITH_DES_CBC_SHA
TLS_RSA_WITH_DES_CBC_SHA
SSL2_CK_DES
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
TLS_RSA_EXPORT_WITH_RC4_40_MD5
SSL2_CK_RC2_EXPORT40
SSL2_CK_RC4_EXPORT40
1 2 0.0144 (0.0035) S>C Handshake
ServerHello
Version 3.1
session_id[32]=
d7 c0 43 0c bc 42 2d b4 05 af 5e 0d eb 0c df dd
cc 0f f7 05 a9 24 cb d1 14 c9 36 6e 44 b2 55 40
cipherSuite TLS_RSA_WITH_3DES_EDE_CBC_SHA
compressionMethod NULL
1 3 0.0157 (0.0013) S>C Handshake
Certificate
1 4 0.0157 (0.0000) S>C Handshake
ServerHelloDone
1 5 0.0180 (0.0023) C>S Handshake
ClientKeyExchange
1 6 0.0180 (0.0000) C>S ChangeCipherSpec
1 7 0.0180 (0.0000) C>S Handshake
1 8 0.1404 (0.1224) S>C ChangeCipherSpec
1 9 0.1404 (0.0000) S>C Handshake
1 10 0.1432 (0.0027) C>S application_data
1 11 0.1474 (0.0042) S>C application_data
1 12 0.1480 (0.0005) C>S application_data
1 13 0.1546 (0.0066) S>C application_data
1 14 0.1614 (0.0067) C>S application_data
1 15 0.1678 (0.0064) S>C application_data
1 16 2.9909 (2.8231) C>S application_data
1 17 2.9973 (0.0063) S>C application_data
New TCP connection #2: 10.1.0.57(33047) <-> 10.1.0.3(389)
2 1 0.0066 (0.0066) C>S SSLv2 compatible client hello
Version 3.1
cipher suites
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
SSL2_CK_3DES
TLS_DHE_DSS_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5
SSL2_CK_RC2
SSL2_CK_RC4
SSL2_CK_RC464
TLS_DHE_DSS_WITH_RC2_56_CBC_SHA
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5
TLS_RSA_EXPORT1024_WITH_RC4_56_MD5
TLS_DHE_RSA_WITH_DES_CBC_SHA
TLS_DHE_DSS_WITH_DES_CBC_SHA
TLS_RSA_WITH_DES_CBC_SHA
SSL2_CK_DES
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
TLS_RSA_EXPORT_WITH_RC4_40_MD5
SSL2_CK_RC2_EXPORT40
SSL2_CK_RC4_EXPORT40
2 0.0083 (0.0016) S>C TCP FIN
I took a closer look at this second TCP session with tethereal.
Here is it:
10.1.0.57 is the client, 10.1.0.3 is the server
41 6.488846 10.1.0.57 -> 10.1.0.3 TCP 33041 > 389 [SYN] Seq=2664529133 Ack=0
Win=5840 Len=0
42 6.489711 10.1.0.3 -> 10.1.0.57 TCP 389 > 33041 [SYN, ACK] Seq=3888408187
Ack=2664529134 Win=16384 Len=0
43 6.489753 10.1.0.57 -> 10.1.0.3 TCP 33041 > 389 [ACK] Seq=2664529134
Ack=3888408188 Win=5840 Len=0
44 6.491937 10.1.0.57 -> 10.1.0.3 LDAP MsgId=1 MsgType=Extended Request
45 6.495114 10.1.0.3 -> 10.1.0.57 LDAP MsgId=1 MsgType=Bad message type (24)
46 6.495155 10.1.0.57 -> 10.1.0.3 TCP 33041 > 389 [ACK] Seq=2664529165
Ack=3888408202 Win=5840 Len=0
47 6.495470 10.1.0.57 -> 10.1.0.3 LDAP Invalid LDAP packet
48 6.497238 10.1.0.3 -> 10.1.0.57 TCP 389 > 33041 [FIN, ACK] Seq=3888408202
Ack=2664529289 Win=17396 Len=0
50 6.529037 10.1.0.57 -> 10.1.0.3 TCP 33041 > 389 [ACK] Seq=2664529289
Ack=3888408203 Win=5840 Len=0
Any help, greatly appreciated!
Dax Kelson
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
