[Catalyst] C:P:A:Store::LDAP start_tls problems

Scott Karns scottkinsf at yahoo.com
Wed Mar 29 22:49:33 CEST 2006 

--- Scott Karns <scottkinsf at yahoo.com> wrote:
> I tried your suggestion of enabling start_tls server
> verification, including the cachain, and leaving out
> the cliencert/key -- that works without the failure
> I reported. There's obviously something I'm not
> understanding about what the required content of the
> clientcert is.
> 
> However, I'm still seeing the intermittent deep
> recursion problem in IO::Socket::SSL. :(

After some hair tearing (and I don't have much to tear
out!), I've at least found something consistent about
this failure. I hope it leads to a fix. Perhaps
someone can make a suggestion.

Context is:
  Catalyst-5.66
  Catalyst-Plugin-Authentication-Store-LDAP-0.04
  Catalyst-Plugin-Authorization-roles-0.04
  Catalyst-Plugin-Authorization-ACL-0.06
  ...
  Net::LDAP-0.33
  IO::Socket::SSL-0.97
  openssl-0.97g

Situation: I'm authenticating users against an LDAP
repository on another server. I've specified start_tls
=> 1 so my passwords aren't passed over the wire in
clear text. This works -- most of the time.
Occasionally, it fails in various places down in the
bowels of IO::Socket::SSL with deep recursion errors.

I've finally identified what I guess must be the
trigger, which is when the _SSL_fileno field of the
IO::Socket::SSL object grabbed by connect_ldaps in
Net::LDAP is 0, the deep recursion error occurs. It
never occurs when the _SSL_fileno field is nonzero.
This must be a problem with IO::Socket::SSL, right? (I
suppose it could be the openssl library as well.)

In case anyone's interested, I've attached a dump of
the problem along with the source of the connect_ldaps
method. Now for some more forensics work down in
IO::Socket::SSL.

Cheers,
Scott

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ldap-start_tls-error
Type: application/octet-stream
Size: 3896 bytes
Desc: 1927132075-ldap-start_tls-error
Url : http://lists.rawmode.org/pipermail/catalyst/attachments/20060329/1f32f82d/attachment-0001.obj

More information about the Catalyst mailing list