I'm having a lot of trouble with replication when using SSL. If I configure everything exactly the same without SSL, it works flawlessly. The instant I try to encrypt traffic, one or both servers will deadlock, even after restart.
I'm configuring according to the instructions at http://www.openldap.org/doc/admin24/replication.html#N-Way Multi-Master, except using ldaps:// instead of ldap://.
In cn=config, I've setup: olcTLSCACertificateFile: /etc/openldap/certs/Operations_CA_Certificate.pem olcTLSCertificateFile: /etc/openldap/certs/ldap.pem olcTLSCertificateKeyFile: /etc/openldap/certs/ldap.key
I've also tried using STARTTLS over ldap:// and it seems to make no difference.
Permissions are right and I can connect via SSL from clients without issue.
I'm completely stumped as to what might be going on. Has anyone seen this before?
This is running on Scientific Linux 6 with the following packages: openldap-2.4.23-32.el6_4.x86_64 openldap-clients-2.4.23-32.el6_4.x86_64 openldap-servers-2.4.23-32.el6_4.x86_64
--On Wednesday, September 25, 2013 1:43 PM -0700 Chad Scott cscott@appdynamics.com wrote:
This is running on Scientific Linux 6 with the following packages:
openldap-2.4.23-32.el6_4.x86_64 openldap-clients-2.4.23-32.el6_4.x86_64 openldap-servers-2.4.23-32.el6_4.x86_64
I would strongly advise you to use a current release of OpenLDAP linked to a current release of OpenSSL. The above packages are years out of date, and there are numerous known bugs with MMR fixed since then.
--Quanah
--
Quanah Gibson-Mount Lead Engineer Zimbra Software, LLC -------------------- Zimbra :: the leader in open source messaging and collaboration
On 09/25/13 13:43 -0700, Chad Scott wrote:
I'm having a lot of trouble with replication when using SSL. If I configure everything exactly the same without SSL, it works flawlessly. The instant I try to encrypt traffic, one or both servers will deadlock, even after restart.
Does slapd still respond? If so, verify that your entropy is not being depleted for your ssl connections. I believe by default openssl uses /dev/random which can block. Check /proc/sys/kernel/random/entropy_avail.
I'm configuring according to the instructions at http://www.openldap.org/doc/admin24/replication.html#N-Way Multi-Master, except using ldaps:// instead of ldap://.
In cn=config, I've setup: olcTLSCACertificateFile: /etc/openldap/certs/Operations_CA_Certificate.pem olcTLSCertificateFile: /etc/openldap/certs/ldap.pem olcTLSCertificateKeyFile: /etc/openldap/certs/ldap.key
I've also tried using STARTTLS over ldap:// and it seems to make no difference.
Permissions are right and I can connect via SSL from clients without issue.
I'm completely stumped as to what might be going on. Has anyone seen this before?
This is running on Scientific Linux 6 with the following packages: openldap-2.4.23-32.el6_4.x86_64 openldap-clients-2.4.23-32.el6_4.x86_64 openldap-servers-2.4.23-32.el6_4.x86_64
Definitely not an entropy problem. I see "ACCEPT" in the logs, but nothing else.
I hadn't realized RedHat was so damn behind. I'm going to generate a custom package with the latest version and see if the problem goes away.
On Wed, Sep 25, 2013 at 2:21 PM, Dan White dwhite@olp.net wrote:
On 09/25/13 13:43 -0700, Chad Scott wrote:
I'm having a lot of trouble with replication when using SSL. If I configure everything exactly the same without SSL, it works flawlessly. The instant I try to encrypt traffic, one or both servers will deadlock, even after restart.
Does slapd still respond? If so, verify that your entropy is not being depleted for your ssl connections. I believe by default openssl uses /dev/random which can block. Check /proc/sys/kernel/random/** entropy_avail.
I'm configuring according to the instructions at
http://www.openldap.org/doc/**admin24/replication.html#N-Wayhttp://www.openldap.org/doc/admin24/replication.html#N-WayMulti-Master, except using ldaps:// instead of ldap://.
In cn=config, I've setup: olcTLSCACertificateFile: /etc/openldap/certs/** Operations_CA_Certificate.pem olcTLSCertificateFile: /etc/openldap/certs/ldap.pem olcTLSCertificateKeyFile: /etc/openldap/certs/ldap.key
I've also tried using STARTTLS over ldap:// and it seems to make no difference.
Permissions are right and I can connect via SSL from clients without issue.
I'm completely stumped as to what might be going on. Has anyone seen this before?
This is running on Scientific Linux 6 with the following packages: openldap-2.4.23-32.el6_4.x86_**64 openldap-clients-2.4.23-32.**el6_4.x86_64 openldap-servers-2.4.23-32.**el6_4.x86_64
-- Dan White
--On Wednesday, September 25, 2013 2:32 PM -0700 Chad Scott cscott@appdynamics.com wrote:
Definitely not an entropy problem. I see "ACCEPT" in the logs, but nothing else.
I hadn't realized RedHat was so damn behind. I'm going to generate a custom package with the latest version and see if the problem goes away.
Note that RedHat links to its own broken SSL implementation MozNSS. I don't know if Scientific linux went the same route or not, which is why I (again) recommend linking (sanely) to a current version of OpenSSL.
--Quanah
--
Quanah Gibson-Mount Lead Engineer Zimbra Software, LLC -------------------- Zimbra :: the leader in open source messaging and collaboration
openldap-technical@openldap.org