|Summary:||ldap_start_tls() doesn't fail gracefully|
|Product:||[Fedora] Fedora||Reporter:||Miloslav Trmač <mitr>|
|Component:||openldap||Assignee:||Jan Safranek <jsafrane>|
|Status:||CLOSED CURRENTRELEASE||QA Contact:|
|Fixed In Version:||2.3.34-0.fc7||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2007-07-17 14:48:32 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
Description Miloslav Trmač 2005-08-03 02:31:01 UTC
+++ This bug was initially created as a clone of Bug #137581 +++ Description of problem: It should be possible to issue ldap_start_tls_s() against an OpenLDAP server that is not configured for TLS and simply have TLS not be negotiated. Unfortunately, this is not the case: the connection to the LDAP server becomes unusable. You can test this quite easily with ldapsearch: Version-Release number of selected component (if applicable): openldap-2.2.23-5 How reproducible: Always Steps to Reproduce: 1. Install openldap and make sure that the TLS lines are commented out in /etc/openldap/slapd.conf 2. Start the ldap server 3. Run, for example, "ldapsearch -Zxh localhost objectclass=*" Actual Results: Instead of getting something, anything, back from the LDAP server you get an error like this: ldap_start_tls: Connect error additional info: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure ldap_bind: Can't contact LDAP server additional info: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure Expected Results: An indication that TLS cannot be negotiated, and then carry on without TLS. The "-ZZ" option for ldapsearch requires that TLS is negotiated.
Comment 1 Miloslav Trmač 2005-08-03 02:35:08 UTC
*** Bug 164413 has been marked as a duplicate of this bug. ***
Comment 2 Christian Iseli 2007-01-20 00:53:03 UTC
This report targets the FC3 or FC4 products, which have now been EOL'd. Could you please check that it still applies to a current Fedora release, and either update the target product or close it ? Thanks.
Comment 3 Miloslav Trmač 2007-07-17 14:48:32 UTC
This works fine on FC7 (openldap-2.3.34-0.fc7).