[Catalyst] C:P:A:Store::LDAP start_tls problems

Scott Karns scottkinsf at yahoo.com
Mon Mar 27 15:40:54 CEST 2006


Gavin,

Thank you for your reply. I think I've used the
clientcert/key correctly -- they are configured so
that the commonName field of the clientcert is the
hostname of the machine on which the webapp runs. The
LDAP repository resides on a different host, and its
certificate corresponds to that hostname. I've been
using LDAP authentication with server verification
using openldap for all my internal clients, windows
and linux, without problem for several years now. All
certificates are signed by the same CA.

I tried your suggestion of enabling start_tls server
verification, including the cachain, and leaving out
the cliencert/key -- that works without the failure I
reported. There's obviously something I'm not
understanding about what the required content of the
clientcert is.

However, I'm still seeing the intermittent deep
recursion problem in IO::Socket::SSL. :(

Thanks again!

-Scott


--- Gavin Henry <ghenry at perl.me.uk> wrote:

> These settings are wrong.
> 
> You only need to set the CACert to connect. The
> client certs are for
> connecting to the server with different client certs
> that have been signed
> by your CA, not the servers certs.
> 
> >
> > Ultimately I'm trying to track the source of these
> > errors:
> >
> > Deep recursion on subroutine
> > "IO::Socket::SSL::SSL_HANDLE::FILENO" at
> >        
> /usr/lib/perl5/5.8.7/i386-linux/IO/Handle.pm
> > line 383, <DATA> line 283 (#1)
> >     (W recursion) This subroutine has called
> itself
> > (directly or indirectly)
> >     100 times more than it has returned.  This
> > probably indicates an
> >     infinite recursion, unless you're writing
> strange
> > benchmark programs, in
> >     which case it indicates something else.
> >
> > Deep recursion on subroutine
> "IO::Socket::SSL::fileno"
> > at
> >
> > /usr/lib/perl5/vendor_perl/5.8.7/IO/Socket/SSL.pm
> line
> > 550, <DATA> line 283 (#1)
> > Deep recursion on subroutine "IO::Handle::fileno"
> at
> >
> > /usr/lib/perl5/vendor_perl/5.8.7/IO/Socket/SSL.pm
> line
> > 334, <DATA> line 283 (#1)
> >
> > I've isolated occurances of the above errors to
> having
> > start_tls set to 1 in
> config->{authentication}->{ldap}
> > The error does not occur with every auth attempt,
> only
> > occasionally.
> 
> This will be because you are trying to connect and
> setup the encryption
> with the same certs, i.e. connect with the server
> certs as the clients
> certs, so they are going round and round trying to
> setup the TLS session.
> 
> >
> > With everything else untouched and start_tls set
> to 0,
> > I cannot reproduce the deep recursion error.
> >


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 



More information about the Catalyst mailing list