Bug 207518 - Usage of DIGEST-MD5 corrupts session of programs
Usage of DIGEST-MD5 corrupts session of programs
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: cyrus-sasl (Show other bugs)
4.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-09-21 10:17 EDT by IDA, TU-Braunschweig
Modified: 2009-04-10 09:56 EDT (History)
0 users

See Also:
Fixed In Version: cyrus-sasl-2.1.19-14
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-04-10 09:56:16 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description IDA, TU-Braunschweig 2006-09-21 10:17:50 EDT
Description of problem:

Using a SASL/DIGEST-MD5 authentication, programs like 'ldapsearch' report an
'Invalid Sequence Number' followed by a bogus 'ldap_result: Can't contact LDAP
server (-1)' when transferring larger data.

It is possible that this problem only occurs using TLS/SSL connections.


Version-Release number of selected component (if applicable):

cyrus-sasl-md5-2.1.19-5.EL4


How reproducible:

Server is on RHEL4. Client is on same host, or on different Linux distro.
DIGEST-MD5 modules must be installed.

Here we can reproduce the problem 100% - it seems very deterministic and
seemingly depends on the size of the transferred data.

Steps to Reproduce:

1.) You need a SASL enabled LDAP-server
2.) You need lots of data on that server (here: dbsize of ~10MB)
3.) You query lots of data from that server

ldapsearch -H ldaps://server -Y DIGEST-MD5
...
... outputs lots of (correct) data ...
...
... and suddenly stops after approx. 40k lines
...
ldap_result: Can't contact LDAP server (-1)


ldapsearch -H ldaps://server -Y CRAM-MD5
...
... works fine
...

ldapsearch -H ldap://server -Y DIGEST-MD5
...
... works fine for me without TLS/SSL
...

ldapsearch -H ldap://server -Y DIGEST-MD5 -Z
...
... same problem as with ldaps://server -Y DIGEST-MD5
...


  
Actual results:
see above

Expected results:
no error - just the data

Additional info:
Using strace to debug this problem, we found out that the digest-md5 module
tries to syslog "Invalid Sequence Number".

We found this thread on a ML: http://www.spinics.net/lists/cyrus-sasl/msg00168.html
Comment 2 Tomas Mraz 2009-04-10 08:48:17 EDT
Unfortunately I am not able to reproduce this problem with current cyrus-sasl and openldap packages on RHEL-4 Update 7.

cyrus-sasl-2.1.19-14
openldap-2.2.13-12.el4

Can you still reproduce it?
Comment 3 IDA, TU-Braunschweig 2009-04-10 09:50:42 EDT
problem is no longer reproducible.. neither on 4.7 nor (and never was) on 5.3

the cyrus and openldap packages were updated in 2007 (after filing the bug). i cannot tell what solved the problem, sorry. 

but it is no longer persistent. thank you for looking into that problem.

best regards

 Matthias Ivers

Note You need to log in before you can comment on or make changes to this bug.