error in SSLv3 flush data

Thu, 29 Mar 2007 05:50:09 -0800 

Hi, I have trouble getting openldap clients to connect to an openldap
server; when the connection is opened, the server says "error in SSLv3
flush data" and the client hangs.  This happens only for connections
through the network (local connections work without problem), and
whether it occurs or not depends on the debug level (for example, if
-d2 is used on slapd, the problem does not occur).  It's not certain
that the problem is in OpenSSL, but I need some help anyway in order
to debug it further and narrow it down.

The server is Debian etch, with all software being packaged by Debian:
OpenLDAP 2.3.30 and OpenSSL 0.9.8c.  There is identical behaviour with
two clients: a Debian etch and a Ubuntu 6.10.  I tried compiling
OpenLDAP 2.3.32 from upstream (against Debian's shared libssl), and
there was the same problem.  I also tried compiling OpenSSL 0.9.8e
(with ./config shared) and put the resulting shared library in place
of Debian's, and run Debian's OpenLDAP 2.3.30, and again I have the
same problem.  Then, I tried to look at the code to find about more
about what "error in SSLv3 flush data" means and why and where it
occurs.

But I don't quite understand the code, of course.  In bio_lib.c,
BIO_ctrl runs with cmd=SSL3_ST_SW_FLUSH, with b being a "buffer" (type
0x209).  When it reaches the line

        ret=b->method->ctrl(b,cmd,larg,parg);

control goes over to buffer_ctrl in bf_buff.c.  It goes to

    case BIO_CTRL_FLUSH:

from where it runs BIO_write(b->next_bio, ...).  Now b->next_bio is
"sockbuf glue", which I don't know what it means, and its type, 0x464,
is not listed in bio.h, so I don't get it.  In any case, if I enable
the debugging fprintf command, its result is

    FLUSH [  0] 1603 ->  -1

The problem does not manifest all the time.  The first time I try a
request after starting slapd, it's  _usually_ OK, and the next times
it's _usually_ as described.

Could you tell me if I'm on the right track and how to proceed?
Needless to say I'm not much interested in digging in the code - my
only motivation is to get it to work, so if there's an easier path,
I'd prefer it.

Previous reports on this issue:
http://www.mail-archive.com/openldap-software@openldap.org/msg08065.html
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=412706

Thanks for any help!
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to