Full_Name: Brian A. Seklecki Version: 2.4.21 OS: FreeBSD, Linux, Plan 9, CP/M, Bubble Memory URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (2607:f000:10:202:21a:a0ff:fec2:7a6c)
I'll try not to be ambiguous in my bug report.
We received a support request escalation regarding an ambiguous error printed by slapd(8) at init.
After review, we found that SSL library calls in OpenLDAP are not properly reporting back to the user fopen() problems when TLSCert* configuration objects are unreadable by the effective POSIX user.
E.g., when a private key/cert/intermediary cert chain has POSIX permissions restricting read access by "-u $USER", the following error is printed:
User Steve Polyack reports a similar error here: http://www.openldap.org/lists/openldap-software/201002/msg00025.html
Also Google says:
Results 1-10 of about 1,730 for "main: TLS init def ctx failed: -1".
Some of these result all the back to early 2003
If you look at mailing list archives, similar error reports appear thousands of times from confused users who thought they were being diligent in by setting restrictive permissions only to receive an ambiguous error that indicates nothing about excessively restrictive permissions.
The problem is that this error gets printed with "-1" under too many conditions in libraries/libldap/tls2.c::ldap_pvt_tls_set_option()
...which in turn sets rc= in servers/slapd/main.c:
Which prints:
2010 Feb 5 10:52:34 -08:00 host [slapd][6261] [local4] [debug] slapd[6261]: main: TLS init def ctx failed: -1
So unless you've browsed through the OpenSSL API guide, you wouldn't even know what the CTX data structure is or how it relates to this. They do a pretty shitty job of explaining it even, so why bother mentioning it?
Anyway, until we can implement OpenSSL's err(3) framework, we should refer to the user to ssl.h for RC values from ldap_pvt_tls_set_option() greater than 0.
For errors, greater than 1, ldap_pvt_tls_set_option() can return that in about 15 different locations.
It _could also_ pass on a -1 return code from ldap_int_tls_init_ctx () at:
return ldap_int_tls_init_ctx( lo, *(int *)arg );
There are no shortage of places where where -1 could be returned to user in our code, so we should make -1 return codes other negative values to nudge the user along. Additional Debug() statements would be useful, but I don't want to get greedy.
~BAS
-----------------
These patches compile-test. I'll push them into our pre-production environment:
$ diff -u servers/slapd/main.c-orig servers/slapd/main.c --- servers/slapd/main.c-orig 2010-02-18 16:52:37.000000000 -0500 +++ servers/slapd/main.c 2010-02-18 16:57:30.000000000 -0500 @@ -843,8 +843,16 @@ load_extop( &slap_EXOP_START_TLS, 0, starttls_extop ); } else if ( rc != LDAP_NOT_SUPPORTED ) { Debug( LDAP_DEBUG_ANY, - "main: TLS init def ctx failed: %d\n", + "main: TLS initialization of def SSL/TLS CTX object failed with err: %d\n", rc, 0, 0 ); + + if (rc < 0) { + Debug( LDAP_DEBUG_ANY, "main: something has gone terribly wrong in creation of the SSL data structure. Check filesystem permissions, ownership bits, ACLs, configuration file paths. Resort to strace(1)/ktrace(1) debugging.\n", rc, 0, 0); + } + if (rc > 0) { + Debug( LDAP_DEBUG_ANY, "main: something has gone wrong in creation of the SSL socket data structure. Please check the OpenSSL error code above against: /usr/include/openssl/ssl until we add err(3) support.\n", rc, 0, 0); + } + rc = 1; SERVICE_EXIT( ERROR_SERVICE_SPECIFIC_ERROR, 20 ); goto destroy;
$ diff -u ./libraries/libldap/tls2.c-orig ./libraries/libldap/tls2.c --- ./libraries/libldap/tls2.c-orig 2010-02-18 17:14:59.000000000 -0500 +++ ./libraries/libldap/tls2.c 2010-02-18 17:16:25.000000000 -0500 @@ -704,7 +704,7 @@
switch( option ) { case LDAP_OPT_X_TLS: - if ( !arg ) return -1; + if ( !arg ) return -2;
switch( *(int *) arg ) { case LDAP_OPT_X_TLS_NEVER: @@ -718,7 +718,7 @@
return 0; } - return -1; + return -3;
case LDAP_OPT_X_TLS_CTX: if ( lo->ldo_tls_ctx ) @@ -757,7 +757,7 @@ lo->ldo_tls_crlfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL; return 0; case LDAP_OPT_X_TLS_REQUIRE_CERT: - if ( !arg ) return -1; + if ( !arg ) return -3; switch( *(int *) arg ) { case LDAP_OPT_X_TLS_NEVER: case LDAP_OPT_X_TLS_DEMAND: @@ -767,10 +767,10 @@ lo->ldo_tls_require_cert = * (int *) arg; return 0; } - return -1; + return -4; #ifdef HAVE_OPENSSL_CRL case LDAP_OPT_X_TLS_CRLCHECK: /* OpenSSL only */ - if ( !arg ) return -1; + if ( !arg ) return -5; switch( *(int *) arg ) { case LDAP_OPT_X_TLS_CRL_NONE: case LDAP_OPT_X_TLS_CRL_PEER: @@ -778,7 +778,7 @@ lo->ldo_tls_crlcheck = * (int *) arg; return 0; } - return -1; + return -6; #endif case LDAP_OPT_X_TLS_CIPHER_SUITE: if ( lo->ldo_tls_ciphersuite ) LDAP_FREE( lo->ldo_tls_ciphersuite ); @@ -786,17 +786,17 @@ return 0;
case LDAP_OPT_X_TLS_PROTOCOL_MIN: - if ( !arg ) return -1; + if ( !arg ) return -7; lo->ldo_tls_protocol_min = *(int *)arg; return 0; case LDAP_OPT_X_TLS_RANDOM_FILE: if ( ld != NULL ) - return -1; + return -8; if ( lo->ldo_tls_randfile ) LDAP_FREE (lo->ldo_tls_randfile ); lo->ldo_tls_randfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL; break; case LDAP_OPT_X_TLS_NEWCTX: - if ( !arg ) return -1; + if ( !arg ) return -9; if ( lo->ldo_tls_ctx ) ldap_pvt_tls_ctx_free( lo->ldo_tls_ctx ); lo->ldo_tls_ctx = NULL;