On Sat, 2010-06-19 at 23:01 -0400, Richard Matthew McCutchen wrote: > On Fri, 2010-06-18 at 17:37 -0400, Richard Matthew McCutchen wrote: > > On Fri, 2010-04-30 at 17:03 -0400, Richard Matthew McCutchen wrote: > > > On Fri, 2010-04-30 at 16:10 -0400, Eric Sturdivant wrote: > > > > On Fri, 30 Apr 2010, Richard Matthew McCutchen wrote: > > > > > On Fri, 2010-04-30 at 13:11 -0400, Daniel Lenski wrote: > > > > >> If I try ldaps://directory.umd.edu, I get an error about being > > > > >> unable to > > > > >> contact the server. > > > > > > > > > > Indeed, the SSL interface seems to be broken. The server closes the > > > > > connection without sending any data: > > > > > > > > Odd, it's working for me: (and alot of things would be broken if it > > > > wasn't > > > > working): > > > [...] > > > > z.glue.umd.edu -> directory.umd.edu TCP D=636 S=39185 Syn > > > > Seq=2539659181 > > > > Len=0 Win=49640 Options=<mss 1460,nop,wscale 0,nop,nop,sackOK> > > > > > > I tried from glue and it works. Likewise from birdy.cs.umd.edu . > > > However, it doesn't work from my computer on the wireless network, or > > > using the UMD-Wireless VPN. Is there a firewall or something? The SSL > > > interface has worked from my computer in the past. > > > > I spoke to John Pfeifer about this and we figured out what the problem > > is. The server is throwing up because I have a new version of OpenSSL > > that advertises RFC 5746 support via the renegotiation_info extension. > > SSL servers are supposed to ignore extensions they don't understand. > > I was mistaken. OpenSSL uses the SCSV, not the extension. There must > be some other SSL compatibility problem, since NSS is able to complete > the handshake successfully. I will do some more tests and post my > findings.
I got it this time. It is the session ticket extension (RFC 5077) that makes the server throw up. If I pass -no_ticket to "openssl s_client", I verified that the only change to the client hello is the removal of this extension, and the handshake succeeds. Since ldapsearch does not expose the option to disable the session ticket, I wrote an LD_PRELOAD shim to enable the option on all OpenSSL contexts. It is posted at: http://terpconnect.umd.edu/~rmccutch/no-session-ticket-shim.tar.gz ldapsearch works again for me when I use the shim. -- Matt
