Hello
I experience a wierd problem with OpenLDAP and TLS connexions. slapd will randomly reject connexions, with "TLS negotiation failure" error message.
That happens with various clients (MacOS, NetBSD, Linux), and it happens on multiples machines that run slapd, the current setup is below: OpenLDAP 2.4.16 OpenSSL 0.9.9-dev 09 May 2008 NetBSD 5.0.1
But the problem also existed before upgrades with NetBSD 4.0 and OpenLDAP 2.4.14. It seems to become worse over time.
Here is a trace obtained with a breakpoint set on the error message in slapd.
conn=0 fd=19 ACCEPT from IP=193.54.82.248:59782 (IP=193.54.82.23:636) TLS: can't accept: (null).
Breakpoint 1, connection_read (s=19, cri=0xa63ff8ac) at connection.c:1326 1326 connection_closing( c, "TLS negotiation failure" ); (gdb) bt #0 connection_read (s=19, cri=0xa63ff8ac) at connection.c:1326 #1 0x08078bf9 in connection_read_thread (ctx=0xa63ff900, argv=0x13) at connection.c:1216 #2 0xbbbaad3a in ldap_int_thread_pool_wrapper (xpool=0xbb540080) at tpool.c:663 #3 0xbb85e9df in pthread_create () from /usr/lib/libpthread.so.0 #4 0xbb7aa640 in swapcontext () from /usr/lib/libc.so.12 (gdb) c Continuing. conn=1 fd=20 ACCEPT from IP=193.54.82.248:59783 (IP=193.54.82.23:636) conn=0 fd=19 closed (TLS negotiation failure)
So connection_read() reports an error from ldap_pvt_tls_accept(), which is caused by tls_imp->ti_session_accept(). For OpenSSL, that is tlso_session_accept(), which just calls SSL_accept()
Does that ring a bell to anyone? Any suggestion for a workaround?