Re: Ambiguous SSL/TLS error messages from slapd
Brian A. Seklecki (CFI NOC) wrote:
Steve, I agree:
This error gets printed with "-1" under too many
conditions. Just look at:
libraries/libldap/tls2.c::ldap_pvt_tls_set_option()
RC Return Code -1 could happen in about a dozen places.
I think we need to take a two step approach to fixing this:
1) Long term, implement OpenSSL's err(3)
What are you talking about? tlso_report_error() already prints the OpenSSL
error messages. All OpenSSL error messages have been fully logged, for years.
2) Short term, in servers/slapd/main.c:
Debug( LDAP_DEBUG_ANY,
"main: TLS init def ctx failed: %d\n",
rc, 0, 0 );
We should change / append to this to clarify:
if (rc< 0)
Debug( LDAP_DEBUG_ANY, "main: something has gone terribly
wrong in creation of the SSL data structure. Check
filesystem permissions, ownership bits, ACLs, configuration
file paths. Resort to strace(1)/ktrace(1)
debugging.\n",rc,0,0);
if (rc> 0)
Debug( LDAP_DEBUG_ANY, "main: something has gone wrong
in creation of the SSL socket data structure. Please
check the OpenSSL error code above against:
/usr/include/openssl/ssl until we err(3) support\n",rc,0,0);
Pointless, since all failures inside init_ctx already call tlso_report_error().
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/