Bug 207518 - Usage of DIGEST-MD5 corrupts session of programs
Summary: Usage of DIGEST-MD5 corrupts session of programs
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: cyrus-sasl (Show other bugs)
(Show other bugs)
Version: 4.0
Hardware: All Linux
Target Milestone: ---
: ---
Assignee: Tomas Mraz
QA Contact: Brian Brock
Depends On:
TreeView+ depends on / blocked
Reported: 2006-09-21 14:17 UTC by IDA, TU-Braunschweig
Modified: 2009-04-10 13:56 UTC (History)
0 users

Fixed In Version: cyrus-sasl-2.1.19-14
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-04-10 13:56:16 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description IDA, TU-Braunschweig 2006-09-21 14:17:50 UTC
Description of problem:

Using a SASL/DIGEST-MD5 authentication, programs like 'ldapsearch' report an
'Invalid Sequence Number' followed by a bogus 'ldap_result: Can't contact LDAP
server (-1)' when transferring larger data.

It is possible that this problem only occurs using TLS/SSL connections.

Version-Release number of selected component (if applicable):


How reproducible:

Server is on RHEL4. Client is on same host, or on different Linux distro.
DIGEST-MD5 modules must be installed.

Here we can reproduce the problem 100% - it seems very deterministic and
seemingly depends on the size of the transferred data.

Steps to Reproduce:

1.) You need a SASL enabled LDAP-server
2.) You need lots of data on that server (here: dbsize of ~10MB)
3.) You query lots of data from that server

ldapsearch -H ldaps://server -Y DIGEST-MD5
... outputs lots of (correct) data ...
... and suddenly stops after approx. 40k lines
ldap_result: Can't contact LDAP server (-1)

ldapsearch -H ldaps://server -Y CRAM-MD5
... works fine

ldapsearch -H ldap://server -Y DIGEST-MD5
... works fine for me without TLS/SSL

ldapsearch -H ldap://server -Y DIGEST-MD5 -Z
... same problem as with ldaps://server -Y DIGEST-MD5

Actual results:
see above

Expected results:
no error - just the data

Additional info:
Using strace to debug this problem, we found out that the digest-md5 module
tries to syslog "Invalid Sequence Number".

We found this thread on a ML: http://www.spinics.net/lists/cyrus-sasl/msg00168.html

Comment 2 Tomas Mraz 2009-04-10 12:48:17 UTC
Unfortunately I am not able to reproduce this problem with current cyrus-sasl and openldap packages on RHEL-4 Update 7.


Can you still reproduce it?

Comment 3 IDA, TU-Braunschweig 2009-04-10 13:50:42 UTC
problem is no longer reproducible.. neither on 4.7 nor (and never was) on 5.3

the cyrus and openldap packages were updated in 2007 (after filing the bug). i cannot tell what solved the problem, sorry. 

but it is no longer persistent. thank you for looking into that problem.

best regards

 Matthias Ivers

Note You need to log in before you can comment on or make changes to this bug.