Bug 207518

Summary: Usage of DIGEST-MD5 corrupts session of programs
Product: Red Hat Enterprise Linux 4 Reporter: IDA, TU-Braunschweig <mad-t4>
Component: cyrus-saslAssignee: Tomas Mraz <tmraz>
Status: CLOSED CURRENTRELEASE QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.0   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: cyrus-sasl-2.1.19-14 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-04-10 13:56:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description IDA, TU-Braunschweig 2006-09-21 14:17:50 UTC 
Description of problem:

Using a SASL/DIGEST-MD5 authentication, programs like 'ldapsearch' report an
'Invalid Sequence Number' followed by a bogus 'ldap_result: Can't contact LDAP
server (-1)' when transferring larger data.

It is possible that this problem only occurs using TLS/SSL connections.


Version-Release number of selected component (if applicable):

cyrus-sasl-md5-2.1.19-5.EL4


How reproducible:

Server is on RHEL4. Client is on same host, or on different Linux distro.
DIGEST-MD5 modules must be installed.

Here we can reproduce the problem 100% - it seems very deterministic and
seemingly depends on the size of the transferred data.

Steps to Reproduce:

1.) You need a SASL enabled LDAP-server
2.) You need lots of data on that server (here: dbsize of ~10MB)
3.) You query lots of data from that server

ldapsearch -H ldaps://server -Y DIGEST-MD5
...
... outputs lots of (correct) data ...
...
... and suddenly stops after approx. 40k lines
...
ldap_result: Can't contact LDAP server (-1)


ldapsearch -H ldaps://server -Y CRAM-MD5
...
... works fine
...

ldapsearch -H ldap://server -Y DIGEST-MD5
...
... works fine for me without TLS/SSL
...

ldapsearch -H ldap://server -Y DIGEST-MD5 -Z
...
... same problem as with ldaps://server -Y DIGEST-MD5
...


  
Actual results:
see above

Expected results:
no error - just the data

Additional info:
Using strace to debug this problem, we found out that the digest-md5 module
tries to syslog "Invalid Sequence Number".

We found this thread on a ML: http://www.spinics.net/lists/cyrus-sasl/msg00168.html
Comment 2 Tomas Mraz 2009-04-10 12:48:17 UTC 
Unfortunately I am not able to reproduce this problem with current cyrus-sasl and openldap packages on RHEL-4 Update 7.

cyrus-sasl-2.1.19-14
openldap-2.2.13-12.el4

Can you still reproduce it?
Comment 3 IDA, TU-Braunschweig 2009-04-10 13:50:42 UTC 
problem is no longer reproducible.. neither on 4.7 nor (and never was) on 5.3

the cyrus and openldap packages were updated in 2007 (after filing the bug). i cannot tell what solved the problem, sorry. 

but it is no longer persistent. thank you for looking into that problem.

best regards

 Matthias Ivers