Bug 164958

Summary: ldap_start_tls() doesn't fail gracefully
Product: [Fedora] Fedora Reporter: Miloslav Trmač <mitr>
Component: openldapAssignee: Jan Safranek <jsafrane>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 4CC: gary, mitr
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: 2.3.34-0.fc7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-07-17 14:48:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Miloslav Trmač 2005-08-03 02:31:01 UTC 
+++ This bug was initially created as a clone of Bug #137581 +++

Description of problem:
It should be possible to issue ldap_start_tls_s() against an OpenLDAP
server that is not configured for TLS and simply have TLS not be
negotiated.  Unfortunately, this is not the case: the connection to
the LDAP server becomes unusable.   You can test this quite easily
with ldapsearch:

Version-Release number of selected component (if applicable):
openldap-2.2.23-5

How reproducible:
Always

Steps to Reproduce:
1. Install openldap and make sure that the TLS lines are commented out
in /etc/openldap/slapd.conf
2. Start the ldap server
3. Run, for example, "ldapsearch -Zxh localhost objectclass=*"
    

Actual Results:  Instead of getting something, anything, back from the
LDAP server you get an error like this:

ldap_start_tls: Connect error
        additional info: error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
ldap_bind: Can't contact LDAP server
        additional info: error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure


Expected Results:  An indication that TLS cannot be negotiated, and
then carry on without TLS.  The "-ZZ" option for ldapsearch requires
that TLS is negotiated.
Comment 1 Miloslav Trmač 2005-08-03 02:35:08 UTC 
*** Bug 164413 has been marked as a duplicate of this bug. ***
Comment 2 Christian Iseli 2007-01-20 00:53:03 UTC 
This report targets the FC3 or FC4 products, which have now been EOL'd.

Could you please check that it still applies to a current Fedora release, and
either update the target product or close it ?

Thanks.
Comment 3 Miloslav Trmač 2007-07-17 14:48:32 UTC 
This works fine on FC7 (openldap-2.3.34-0.fc7).