Hello list.
I was told by Mozilla NSS developers, that OpenLDAP is shutting down the TLS context incorrectly. The order of the operations is incorrect at least for MozNSS backend.
As this part of the code is common for all TLS backends in OpenLDAP, I would like to be sure about the way of fixing it.
We think, that ber_sockbuf_free() should be called before ldap_int_tls_destroy() in ldap_ld_free(). Currently, the order is opposite.
This is the original reasoning from John Dennis:
In other words what is happening is an SSL socket is created using an NSS context (i.e. the NSS context must exist prior to creating the SSL socket). But when the socket is disposed of the order of operations isn't mirrored in reverse. The socket should be disposed of first because it belongs to the NSS context, then the NSS context should be destroyed. But openldap is performing the opposite, it's destroying the NSS context first and then the socket.
I'm not familiar with OpenSSL and GnuTLS. And I haven't found any information about ordering the shutdown operations in theirs documentation. I just went through the OpenLDAP code for other backends and my opinion is, that this problem is related to all backends. IMO the socket should be really shut down and closed before destroying the context with opened certificates and other resources. But maybe I'm wrong.
Please, can somebody confirm or invalidate this?
Thanks and regards!
Jan
Jan Vcelak wrote:
Hello list.
I was told by Mozilla NSS developers, that OpenLDAP is shutting down the TLS context incorrectly. The order of the operations is incorrect at least for MozNSS backend.
As this part of the code is common for all TLS backends in OpenLDAP, I would like to be sure about the way of fixing it.
We think, that ber_sockbuf_free() should be called before ldap_int_tls_destroy() in ldap_ld_free(). Currently, the order is opposite.
This is the original reasoning from John Dennis:
In other words what is happening is an SSL socket is created using an NSS context (i.e. the NSS context must exist prior to creating the SSL socket). But when the socket is disposed of the order of operations isn't mirrored in reverse. The socket should be disposed of first because it belongs to the NSS context, then the NSS context should be destroyed. But openldap is performing the opposite, it's destroying the NSS context first and then the socket.
I'm not familiar with OpenSSL and GnuTLS. And I haven't found any information about ordering the shutdown operations in theirs documentation. I just went through the OpenLDAP code for other backends and my opinion is, that this problem is related to all backends. IMO the socket should be really shut down and closed before destroying the context with opened certificates and other resources. But maybe I'm wrong.
Please, can somebody confirm or invalidate this?
What you're saying makes sense. However, I think things were set up in this order because technically the socket can outlive the TLS context. (Though in LDAP there is no Stop TLS request, it seems to me that it was intended at some point.)
-
Howard Chu -
Jan Vcelak