Bug 1445188 - Misleading error message - Incoming BER Element was 3 bytes
Summary: Misleading error message - Incoming BER Element was 3 bytes
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: 389-ds-base
Version: 7.4
Hardware: x86_64
OS: Linux
low
medium
Target Milestone: rc
: ---
Assignee: mreynolds
QA Contact: Viktor Ashirov
Marc Muehlfeld
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-04-25 08:32 UTC by Amita Sharma
Modified: 2021-06-10 12:14 UTC (History)
4 users (show)

Fixed In Version: 389-ds-base-1.3.7.5-10.el7
Doc Type: Bug Fix
Doc Text:
Clear error message when sending TLS data to a non-LDAPS port Previously, Directory Server decoded TLS protocol handshakes sent to a port that was configured to use plain text as an *LDAPMessage* data type. However, decoding failed and the server reported the misleading "BER was 3 bytes, but actually was <greater>" error. With this update, Directory Server detects if TLS data is sent to a port configured for plain text and returns the following error message to the client: Incoming BER Element may be misformed. This may indicate an attempt to use TLS on a plaintext port, IE ldaps://localhost:389. Check your client LDAP_URI settings. As a result, the new error message indicates that an incorrect client configuration causes the problem.
Clone Of:
Environment:
Last Closed: 2018-04-10 14:16:50 UTC
Target Upstream Version:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github 389ds 389-ds-base issues 2049 0 None closed Misleading error message for TLS on the clear text port. 2021-02-09 19:59:45 UTC
Github 389ds 389-ds-base issues 2436 0 None closed Misleading error message - Incoming BER Element was 3 bytes 2021-02-09 19:59:45 UTC
Red Hat Product Errata RHBA-2018:0811 0 None None None 2018-04-10 14:17:45 UTC

Description Amita Sharma 2017-04-25 08:32:07 UTC 
Description of problem:
Because of a wrong port number used in commandline for ladpmodify, I am getting in error logs - 
[25/Apr/2017:03:03:32.806827033 -0400] - ERR - log_ber_too_big_error - conn=12 fd=64 Incoming BER Element was 3 bytes, max allowable is 2097152 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase. 

which is misleading

Version-Release number of selected component (if applicable):
389-ds-base-1.3.6.1-9.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Configure MMR with SSL

2. execute - /usr/lib64/mozldap/ldapmodify -Z -P "/etc/dirsrv/slapd-M1/cert8.db" -W secret12 -p 30100 -h localhost -D "cn=directory manager" -w Secret123 << EOF
dn: uid=new_user4,dc=example,dc=com
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
uid: new_user4
sn: new_user4
cn: new_user4
EOF

where 30100 is non-ssl port (wrong port number)

3. you will get below on command line -
ldap_simple_bind: Can't contact LDAP server
	SSL error -5938 (Encountered end of file.)

4. And in error messages, it will show -
[25/Apr/2017:03:13:17.830291071 -0400] - ERR - log_ber_too_big_error - conn=16 fd=64 Incoming BER Element was 3 bytes, max allowable is 2097152 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase.
[25/Apr/2017:03:22:08.700482270 -0400] - ERR - log_ber_too_big_error - conn=22 fd=64 Incoming BER Element was 3 bytes, max allowable is 2097152 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase.


Actual results:
Error message for a wrong port-

[25/Apr/2017:03:13:17.830291071 -0400] - ERR - log_ber_too_big_error - conn=16 fd=64 Incoming BER Element was 3 bytes, max allowable is 2097152 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase.
[25/Apr/2017:03:22:08.700482270 -0400] - ERR - log_ber_too_big_error - conn=22 fd=64 Incoming BER Element was 3 bytes, max allowable is 2097152 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase.


Expected results:
Errors message should be helpful in pointing out the mistake.


Additional info:
Comment 2 Amita Sharma 2017-04-25 09:08:18 UTC 
Here the error message says "ERR - log_ber_too_big_error - conn=16 fd=64 Incoming BER Element was 3 bytes, max allowable is 2097152 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase."

Even if you try to change the nsslapd-maxbersize attribute in cn=config to increase, it does not help to resolve the issue and leads to more confusion.
Comment 3 wibrown@redhat.com 2017-09-11 23:49:32 UTC 
I've seen this before. It's when you use TLS on a ldap:// port. This could be easy to detect and fix but I seem to remember last I looked at it, it was more annoying than I thought.
Comment 4 wibrown@redhat.com 2017-09-11 23:53:54 UTC 
Upstream ticket:
https://pagure.io/389-ds-base/issue/49377
Comment 9 Amita Sharma 2017-11-21 10:47:43 UTC 
After discussion on IRC it is clear that we can still get both of these error messages in some cases. Hence marking bug as verified. Thanks @wibrown
Comment 10 wibrown@redhat.com 2017-12-05 09:43:29 UTC 
You're welcome Amita!
Comment 17 errata-xmlrpc 2018-04-10 14:16:50 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0811
Note You need to log in before you can comment on or make changes to this bug.