Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
Bug 137581 - ldap_start_tls() doesn't fail gracefully
ldap_start_tls() doesn't fail gracefully
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: openldap (Show other bugs)
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Jan Safranek
Jay Turner
Depends On:
  Show dependency treegraph
Reported: 2004-10-29 12:36 EDT by John Haxby
Modified: 2015-01-07 19:08 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-10-19 15:15:16 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description John Haxby 2004-10-29 12:36:00 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.7.2)

Description of problem:
It should be possible to issue ldap_start_tls_s() against an OpenLDAP
server that is not configured for TLS and simply have TLS not be
negotiated.  Unfortunately, this is not the case: the connection to
the LDAP server becomes unusable.   You can test this quite easily
with ldapsearch:

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Install openldap and make sure that the TLS lines are commented out
in /etc/openldap/slapd.conf
2. Start the ldap server
3. Run, for example, "ldapsearch -Zxh localhost objectclass=*"

Actual Results:  Instead of getting something, anything, back from the
LDAP server you get an error like this:

ldap_start_tls: Connect error
        additional info: error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
ldap_bind: Can't contact LDAP server
        additional info: error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

Expected Results:  An indication that TLS cannot be negotiated, and
then carry on without TLS.  The "-ZZ" option for ldapsearch requires
that TLS is negotiated.

Additional info:

Another completely different implementation of an LDAP server that
doesn't support TLS at all works just fine: "ldapsearch -Z" reports
that TLS couldn't be negotiated, but the search carries on.
Comment 1 Miloslav Trmač 2005-04-22 12:38:07 EDT
This affects also current devel (openldap 2.2.23-4), but not FC3
Comment 2 RHEL Product and Program Management 2007-10-19 15:15:16 EDT
This bug is filed against RHEL 3, which is in maintenance phase.
During the maintenance phase, only security errata and select mission
critical bug fixes will be released for enterprise products. Since
this bug does not meet that criteria, it is now being closed.
For more information of the RHEL errata support policy, please visit:
If you feel this bug is indeed mission critical, please contact your
support representative. You may be asked to provide detailed
information on how this bug is affecting you.

Note You need to log in before you can comment on or make changes to this bug.