|
We had to update our server from CentOS 6.7 to CentOS 6.8 due to security compliance. When doing so however, it caused 389 to be unstable for TLS/SSL port 636. It would be up for a minute or two (and take connections), then fail with the following error when a server/script tried to connect. Non-TLS/SSL port 389 would work fine without any issues/errors. Before we patched, it would work without issues. Connection to port shows no issue with certificate.
[26/Jan/2017:01:02:39 -0500] conn=97 fd=64 slot=64 SSL connection from X.X.X.X to X.X.X.X [26/Jan/2017:01:02:39 -0500] conn=97 op=-1 fd=64 closed - Unspecified failure while processing SSL Client Key Exchange handshake.
From the client:
TLS: loaded CA certificate file /etc/pki/tls/certs/bundle.crt. TLS: certificate [CN=XXXXXX.com,OU=PositiveSSL Multi-Domain,OU=Domain Control Validated] is valid TLS: error: tlsm_PR_Recv returned -1 - error 104:Connection reset by peer TLS: error: connect - force handshake failure: errno 104 - moznss error -5961 TLS: can't connect: TLS error -5961:TCP connection reset by peer. ldap_err2string ldap_start_tls: Connect error (-11) additional info: TLS error -5961:TCP connection reset by peer ldap_sasl_bind
Normal Connection:
[26/Jan/2017:05:29:35 -0500] conn=904 fd=65 slot=65 SSL connection from X.X.X.X to X.X.X.X [26/Jan/2017:05:29:35 -0500] conn=904 TLS1.2 256-bit AES
Current Version of 389 (389 was already updated and working well before the 6.8 upgrade):
389-adminutil-1.1.19-1.el6.x86_64 389-ds-base-libs-1.2.11.15-74.el6.x86_64 389-ds-console-doc-1.2.6-1.el6.noarch 389-admin-1.1.35-1.el6.x86_64 389-ds-console-1.2.6-1.el6.noarch 389-dsgw-1.1.11-1.el6.x86_64 389-ds-base-1.2.11.15-74.el6.x86_64 389-console-1.1.7-1.el6.noarch
NSS (some updated during the upgrade):
nss-3.21.0-8.el6.x86_64 nss-softokn-3.14.3-23.el6_7.x86_64 nss-softokn-freebl-3.14.3-23.el6_7.i686 nss-softokn-freebl-3.14.3-23.el6_7.x86_64 nss-sysinit-3.21.0-8.el6.x86_64 nss-tools-3.21.0-8.el6.x86_64 nss-util-3.21.0-2.el6.x86_64
Port is open:
tcp 0 0 :::636 :::* LISTEN
Approx Strace:
getpeername(8, 0x7ffe450d5980, [112]) = -1 ENOTCONN (Transport endpoint is not connected) poll([{fd=40, events=POLLIN}, {fd=7, events=POLLIN}, {fd=8, events=POLLIN}, {fd=-1}], 4, 250) = 1 ([{fd=8, revents=POLLIN}]) accept(8, {sa_family=AF_INET6, sin6_port=htons(52890), inet_pton(AF_INET6, "::ffff:X.X.X.X", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, [28]) = 36 fcntl(36, F_GETFL) = 0x2 (flags O_RDWR) fcntl(36, F_SETFL, O_RDWR|O_NONBLOCK) = 0 fcntl(36, F_DUPFD, 64) = 64 close(36) = 0 setsockopt(64, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0 setsockopt(64, SOL_TCP, TCP_NODELAY, [0], 4) = 0 getsockname(64, {sa_family=AF_INET6, sin6_port=htons(636), inet_pton(AF_INET6, "::ffff:X.X.X.X", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, [28]) = 0 getpeername(8, 0x7ffe450d5980, [112]) = -1 ENOTCONN (Transport endpoint is not connected) poll([{fd=40, events=POLLIN}, {fd=7, events=POLLIN}, {fd=8, events=POLLIN}, {fd=-1}, {fd=64, events=POLLIN}], 5, 250) = 1 ([{fd=64, revents=POLLIN}]) futex(0x16ee83c, FUTEX_WAKE_OP_PRIVATE, 1, 1, 0x16ee838, {FUTEX_OP_SET, 0, FUTEX_OP_CMP_GT, 1}) = 1 getpeername(8, 0x7ffe450d5980, [112]) = -1 ENOTCONN (Transport endpoint is not connected) poll([{fd=40, events=POLLIN}, {fd=7, events=POLLIN}, {fd=8, events=POLLIN}, {fd=-1}], 4, 250) = 1 ([{fd=40, revents=POLLIN}]) read(40, "\0", 200) = 1 close(64) = 0 getpeername(8, 0x7ffe450d5980, [112]) = -1 ENOTCONN (Transport endpoint is not connected) poll([{fd=40, events=POLLIN}, {fd=7, events=POLLIN}, {fd=8, events=POLLIN}, {fd=-1}], 4, 250) = 0 (Timeout)
|
_______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
