Odd issue with 389 and updating to Cent 6.8 with TLS/SSL

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



We had to update our server from CentOS 6.7 to CentOS 6.8 due to security compliance. When doing so however, it caused 389 to be unstable for TLS/SSL port 636. It would be up for a minute or two, then fail with the following error when a server/script tried to connect. Non-TLS/SSL port 389 would work fine without any issues/errors. Before we patched, it would work without issues. Connection to port shows no issue with certificate. 

[26/Jan/2017:01:02:39 -0500] conn=97 fd=64 slot=64 SSL connection from X.X.X.X to X.X.X.X
[26/Jan/2017:01:02:39 -0500] conn=97 op=-1 fd=64 closed - Unspecified failure while processing SSL Client Key Exchange handshake.

>From the client:

TLS: loaded CA certificate file /etc/pki/tls/certs/bundle.crt.
TLS: certificate [CN=XXXXXX.com,OU=PositiveSSL Multi-Domain,OU=Domain Control Validated] is valid
TLS: error: tlsm_PR_Recv returned -1 - error 104:Connection reset by peer
TLS: error: connect - force handshake failure: errno 104 - moznss error -5961
TLS: can't connect: TLS error -5961:TCP connection reset by peer.
ldap_err2string
ldap_start_tls: Connect error (-11)
	additional info: TLS error -5961:TCP connection reset by peer
ldap_sasl_bind

Normal Connection:

[26/Jan/2017:05:29:35 -0500] conn=904 fd=65 slot=65 SSL connection from X.X.X.X to X.X.X.X
[26/Jan/2017:05:29:35 -0500] conn=904 TLS1.2 256-bit AES

Current Version of 389:

389-adminutil-1.1.19-1.el6.x86_64
389-ds-base-libs-1.2.11.15-74.el6.x86_64
389-ds-console-doc-1.2.6-1.el6.noarch
389-admin-1.1.35-1.el6.x86_64
389-ds-console-1.2.6-1.el6.noarch
389-dsgw-1.1.11-1.el6.x86_64
389-ds-base-1.2.11.15-74.el6.x86_64
389-console-1.1.7-1.el6.noarch

NSS:

nss-3.21.0-8.el6.x86_64
nss-softokn-3.14.3-23.el6_7.x86_64
nss-softokn-freebl-3.14.3-23.el6_7.i686
nss-softokn-freebl-3.14.3-23.el6_7.x86_64
nss-sysinit-3.21.0-8.el6.x86_64
nss-tools-3.21.0-8.el6.x86_64
nss-util-3.21.0-2.el6.x86_64

Port is open:

tcp        0      0 :::636                      :::*                        LISTEN

Approx Strace:

getpeername(8, 0x7ffe450d5980, [112])   = -1 ENOTCONN (Transport endpoint is not connected)
poll([{fd=40, events=POLLIN}, {fd=7, events=POLLIN}, {fd=8, events=POLLIN}, {fd=-1}], 4, 250) = 1 ([{fd=8, revents=POLLIN}])
accept(8, {sa_family=AF_INET6, sin6_port=htons(52890), inet_pton(AF_INET6, "::ffff:X.X.X.X", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, [28]) = 36
fcntl(36, F_GETFL)                      = 0x2 (flags O_RDWR)
fcntl(36, F_SETFL, O_RDWR|O_NONBLOCK)   = 0
fcntl(36, F_DUPFD, 64)                  = 64
close(36)                               = 0
setsockopt(64, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0
setsockopt(64, SOL_TCP, TCP_NODELAY, [0], 4) = 0
getsockname(64, {sa_family=AF_INET6, sin6_port=htons(636), inet_pton(AF_INET6, "::ffff:X.X.X.X", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, [28]) = 0
getpeername(8, 0x7ffe450d5980, [112])   = -1 ENOTCONN (Transport endpoint is not connected)
poll([{fd=40, events=POLLIN}, {fd=7, events=POLLIN}, {fd=8, events=POLLIN}, {fd=-1}, {fd=64, events=POLLIN}], 5, 250) = 1 ([{fd=64, revents=POLLIN}])
futex(0x16ee83c, FUTEX_WAKE_OP_PRIVATE, 1, 1, 0x16ee838, {FUTEX_OP_SET, 0, FUTEX_OP_CMP_GT, 1}) = 1
getpeername(8, 0x7ffe450d5980, [112])   = -1 ENOTCONN (Transport endpoint is not connected)
poll([{fd=40, events=POLLIN}, {fd=7, events=POLLIN}, {fd=8, events=POLLIN}, {fd=-1}], 4, 250) = 1 ([{fd=40, revents=POLLIN}])
read(40, "\0", 200)                     = 1
close(64)                               = 0
getpeername(8, 0x7ffe450d5980, [112])   = -1 ENOTCONN (Transport endpoint is not connected)
poll([{fd=40, events=POLLIN}, {fd=7, events=POLLIN}, {fd=8, events=POLLIN}, {fd=-1}], 4, 250) = 0 (Timeout)

_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx




[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux