On Tue, 2010-06-22 at 12:31 -0400, Richard Matthew McCutchen wrote: > > > > > On Fri, 30 Apr 2010, Richard Matthew McCutchen wrote: > > > > > > On Fri, 2010-04-30 at 13:11 -0400, Daniel Lenski wrote: > > > > > >> If I try ldaps://directory.umd.edu, I get an error about being > > > > > >> unable to > > > > > >> contact the server. > > > > > > > > > > > > Indeed, the SSL interface seems to be broken. The server closes the > > > > > > connection without sending any data:
> I got it this time. It is the session ticket extension (RFC 5077) that > makes the server throw up. If I pass -no_ticket to "openssl s_client", > I verified that the only change to the client hello is the removal of > this extension, and the handshake succeeds. > > Since ldapsearch does not expose the option to disable the session > ticket, I wrote an LD_PRELOAD shim to enable the option on all OpenSSL > contexts. It is posted at: > > http://terpconnect.umd.edu/~rmccutch/no-session-ticket-shim.tar.gz > > ldapsearch works again for me when I use the shim. It turns out that's not quite right either. The server appears to be simply what is known as "extension intolerant". Including the server_name extension OR the session_ticket extension in the ClientHello is enough to make the server fail. For different clients, different measures may be necessary to disable extensions. For reference, here are the behaviors of the various clients I tried, as seen with NSS ssltap: Firefox 3.5.9: TLS 1.0 hello with server_name and session_ticket. If the server drops the connection, try again with SSL 2 hello. NSS 3.12.6 tstclnt: SSL 2 hello by default. If -2 is passed, then TLS 1.0 hello, and server_name and session_ticket can be added by passing -a and -u respectively. OpenSSL 1.0.0a s_client: TLS 1.0 hello with session_ticket, which can be disabled with -no_ticket. openldap 2.4.21: TLS 1.0 hello with session_ticket, no option to disable it. gnutls-cli 2.8.6: TLS 1.0 hello with server_name, which can be disabled with --disable-extensions. -- Matt
