Bug 137581 - ldap_start_tls() doesn't fail gracefully
Summary: ldap_start_tls() doesn't fail gracefully
Alias: None
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: openldap
Version: 3.0
Hardware: i686
OS: Linux
Target Milestone: ---
Assignee: Jan Safranek
QA Contact: Jay Turner
Depends On:
TreeView+ depends on / blocked
Reported: 2004-10-29 16:36 UTC by John Haxby
Modified: 2015-01-08 00:08 UTC (History)
2 users (show)

Clone Of:
Last Closed: 2007-10-19 19:15:16 UTC

Attachments (Terms of Use)

Description John Haxby 2004-10-29 16:36:00 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.7.2)

Description of problem:
It should be possible to issue ldap_start_tls_s() against an OpenLDAP
server that is not configured for TLS and simply have TLS not be
negotiated.  Unfortunately, this is not the case: the connection to
the LDAP server becomes unusable.   You can test this quite easily
with ldapsearch:

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Install openldap and make sure that the TLS lines are commented out
in /etc/openldap/slapd.conf
2. Start the ldap server
3. Run, for example, "ldapsearch -Zxh localhost objectclass=*"

Actual Results:  Instead of getting something, anything, back from the
LDAP server you get an error like this:

ldap_start_tls: Connect error
        additional info: error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
ldap_bind: Can't contact LDAP server
        additional info: error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

Expected Results:  An indication that TLS cannot be negotiated, and
then carry on without TLS.  The "-ZZ" option for ldapsearch requires
that TLS is negotiated.

Additional info:

Another completely different implementation of an LDAP server that
doesn't support TLS at all works just fine: "ldapsearch -Z" reports
that TLS couldn't be negotiated, but the search carries on.

Comment 1 Miloslav Trmač 2005-04-22 16:38:07 UTC
This affects also current devel (openldap 2.2.23-4), but not FC3

Comment 2 RHEL Product and Program Management 2007-10-19 19:15:16 UTC
This bug is filed against RHEL 3, which is in maintenance phase.
During the maintenance phase, only security errata and select mission
critical bug fixes will be released for enterprise products. Since
this bug does not meet that criteria, it is now being closed.
For more information of the RHEL errata support policy, please visit:
If you feel this bug is indeed mission critical, please contact your
support representative. You may be asked to provide detailed
information on how this bug is affecting you.

Note You need to log in before you can comment on or make changes to this bug.