Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Created attachment 893157[details]
Java demo which demostrate problem
When we try to upgrade from Rhel5 to Rhel6 our java application authenticating users over OpenLdap stops work. Application use extended ldap operation StartTLS to switch to secure communication before authenticating user.
TLS handshake and authentication works fine, but when we close TLS context (which sends tls close_notify alert rfc2246 7.2) openldap server does not send response and application froze waiting for it.
I have try to build openldap server from SRPMS without NSS support and application works fine. Server send response to close_notify alert as required in rfc2246 7.2.1 and connection is correctly cleaned.
So the problem is using NSS implementation of TLS in OpenLdap.
After a few time "playing" with gdb I think the problem is between ssl3gthr.c:368 and method ssl3_HandleAlert in ssl3con.c:3268.
By my opinion in context of line ssl3gthr.c:368
----
if (rv < 0) {
return ss->recvdCloseNotify ? 0 : rv;
----
method ssl3_HandleAlert should in case of close_notify alert
return negative value.
or ssl3gthr.c:368 should be changed to something like
------
if (rv < 0) {
return ss->recvdCloseNotify ? 0 : rv;
}
if (rv == 0 && ss->recvdCloseNotify) {
return 0;
}
------
But the source code is little bit complicated so I am not sure that this
solution is correct.
As attachment I add simple java program which should be used to demonstrate
this problem.
Created attachment 893157 [details] Java demo which demostrate problem When we try to upgrade from Rhel5 to Rhel6 our java application authenticating users over OpenLdap stops work. Application use extended ldap operation StartTLS to switch to secure communication before authenticating user. TLS handshake and authentication works fine, but when we close TLS context (which sends tls close_notify alert rfc2246 7.2) openldap server does not send response and application froze waiting for it. I have try to build openldap server from SRPMS without NSS support and application works fine. Server send response to close_notify alert as required in rfc2246 7.2.1 and connection is correctly cleaned. So the problem is using NSS implementation of TLS in OpenLdap. After a few time "playing" with gdb I think the problem is between ssl3gthr.c:368 and method ssl3_HandleAlert in ssl3con.c:3268. By my opinion in context of line ssl3gthr.c:368 ---- if (rv < 0) { return ss->recvdCloseNotify ? 0 : rv; ---- method ssl3_HandleAlert should in case of close_notify alert return negative value. or ssl3gthr.c:368 should be changed to something like ------ if (rv < 0) { return ss->recvdCloseNotify ? 0 : rv; } if (rv == 0 && ss->recvdCloseNotify) { return 0; } ------ But the source code is little bit complicated so I am not sure that this solution is correct. As attachment I add simple java program which should be used to demonstrate this problem.