Intermittent hangs during ldap_search_ext when TLS enabled
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openldap |
Fix Released
|
Medium
|
|||
openldap (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
Undecided
|
Utkarsh Gupta | ||
Groovy |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Impact]
========
When connecting to an LDAP server with TLS, ldap_search_ext can hang if during the initial TLS handshake a signal is received by the process. The cause of this bug is the same as https:/
In our case this bug cause failures in the SSSD LDAP backend at least once per day, resulting in authentication errors followed by a sssd_be restart after a timeout has been hit.
[Test Plan]
===========
When using openldap on 20.04, this bug causes failures in the SSSD LDAP backend, resulting in authentication errors followed by a sssd_be restart after a timeout has been hit:
Mar 19 19:05:31 mail auth[867454]: pam_sss(
Mar 19 19:05:32 mail sssd_be[867455]: Starting up
With the patched version, this should no longer be a problem.
[Where Problems Could Occur]
=======
With this patch applied, there may be few edge cases in (and varying b/w) different versions of GnuTLS. And also some bits that are discussed in https:/
But that said, the patched version is already being run in production for over two weeks time (at the time of writing - 07/04/21). So I believe the SRU will clearly benefit from this and has lower risk of regression.
[More Info]
===========
A reduced version of the patch linked above can be found attached to this bug report. This patch has been applied to version 2.4.49+
Related branches
- Christian Ehrhardt (community): Approve
- Canonical Server: Pending requested
- Sergio Durigan Junior: Pending requested
- git-ubuntu developers: Pending requested
-
Diff: 182 lines (+160/-0)3 files modifieddebian/changelog (+8/-0)
debian/patches/ITS-8650-loop-on-incomplete-TLS-handshake.patch (+151/-0)
debian/patches/series (+1/-0)
description: | updated |
Changed in openldap: | |
importance: | Unknown → Medium |
status: | Unknown → Fix Released |
description: | updated |
tags: |
added: verification-done removed: verification-needed |
Full_Name: Ryan Tandy
Version: RE24
OS: Debian
URL:
Submission from: (NULL) (24.68.41.160)
Submitted by: ryan
https:/ /bugs.debian. org/cgi- bin/bugreport. cgi?bug= 861838
That bug's submitter seems to have unintentionally configured their slapd with
the entire list of system CAs. They're fixing it, but we have a bug here too.
When the ServerHello is larger than 16kb, gnutls_handshake can return
GNUTLS_E_AGAIN. In theory this was always possible, but I'm only seeing it
happen with gnutls 3.x and haven't the exact change responsible.
We need to loop gnutls_handshake until it completes, like we do already in the
re-handshake case.