From pckizer@nostrum.com  Fri Jan  6 21:43:46 2006
Return-Path: <pckizer@nostrum.com>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 715D516A41F;
	Fri,  6 Jan 2006 21:43:46 +0000 (GMT)
	(envelope-from pckizer@nostrum.com)
Received: from shaman.nostrum.com (shaman.nostrum.com [72.232.15.10])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 1B24343D68;
	Fri,  6 Jan 2006 21:43:45 +0000 (GMT)
	(envelope-from pckizer@nostrum.com)
Received: from shaman.nostrum.com (pckizer@localhost.layeredtech.com [127.0.0.1])
	by shaman.nostrum.com (8.13.4/8.13.4) with ESMTP id k06LhhSe003980
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Fri, 6 Jan 2006 15:43:43 -0600 (CST)
	(envelope-from pckizer@shaman.nostrum.com)
Received: (from pckizer@localhost)
	by shaman.nostrum.com (8.13.4/8.13.4/Submit) id k06LhgaL003979;
	Fri, 6 Jan 2006 15:43:42 -0600 (CST)
	(envelope-from pckizer)
Message-Id: <200601062143.k06LhgaL003979@shaman.nostrum.com>
Date: Fri, 6 Jan 2006 15:43:42 -0600 (CST)
From: Philip Kizer <pckizer@nostrum.com>
Reply-To: Philip Kizer <pckizer@nostrum.com>
To: FreeBSD-gnats-submit@freebsd.org
Cc: vsevolod@freebsd.org
Subject: openldap23 ports (2.3.11) fail to do SSL/TLS
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         91422
>Category:       ports
>Synopsis:       openldap23 ports (2.3.11) fail to do SSL/TLS
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    vsevolod
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Fri Jan 06 21:50:01 GMT 2006
>Closed-Date:    Wed Mar 22 16:56:03 GMT 2006
>Last-Modified:  Wed Mar 22 16:56:03 GMT 2006
>Originator:     Philip Kizer
>Release:        FreeBSD 6.0-STABLE i386
>Organization:
n/a
>Environment:
System: FreeBSD shaman.nostrum.com 6.0-STABLE FreeBSD 6.0-STABLE #1: Sun Nov 27 02:09:37 CST 2005 root@shaman:/usr/obj/usr/src/sys/CUSTOM i386



>Description:

openldap23-sasl-client is using OpenLDAP 2.3.11 that has a bug in TLS/SSL handling.
This was checked against up-to-date RELENG_5 and RELENG_6.


>How-To-Repeat:

sh% ldap_flags="-h operator.tamu.edu -LLL -b dc=tamu,dc=edu -x"

sh# ldapsearch -V 2>&1 | grep ldapsearch:
ldapsearch: @(#) $OpenLDAP: ldapsearch 2.3.11 (Dec  1 2005 20:51:50) $

sh% ldapsearch $ldap_flags sn=noone

sh% ldapsearch $ldap_flags -Z sn=noone
ldap_start_tls: Connect error (-11)
ldap_result: Can't contact LDAP server (-1)



>Fix:

Apply a patch to the openldap23-server port to bring it up the the current release from openldap.org (2.3.15) corrects the problem:

sh# ldap_flags="-h operator.tamu.edu -LLL -b dc=tamu,dc=edu -x"

sh# ldapsearch -V 2>&1 | grep ldapsearch:
ldapsearch: @(#) $OpenLDAP: ldapsearch 2.3.15 (Jan  6 2006 15:05:06) $

sh# ldapsearch $ldap_flags sn=noone

sh# ldapsearch $ldap_flags -Z sn=noone

The trivial changes I used are as follows (I was able to build, install, and package and verify it works; but, I have not had a chance to
test any other dependent ports):

% diff -ru ../openldap23-server-old .
diff -ru ../openldap23-server-old/Makefile ./Makefile
--- ../openldap23-server-old/Makefile	Tue Nov 15 00:50:32 2005
+++ ./Makefile	Fri Jan  6 15:34:23 2006
@@ -6,7 +6,7 @@
 #
 
 PORTNAME=		openldap
-DISTVERSION=		2.3.11
+DISTVERSION=		2.3.15
 PORTREVISION=		${OPENLDAP_PORTREVISION}
 CATEGORIES=		net databases
 MASTER_SITES=		ftp://ftp.OpenLDAP.org/pub/OpenLDAP/%SUBDIR%/ \
@@ -87,10 +87,10 @@
 OPENLDAP_PKGFILESUFX=
 
 .if defined(WITH_SASL) && !defined(WITHOUT_SASL)
-RUN_DEPENDS=		${LOCALBASE}/lib/libldap-2.3.so.1:${PORTSDIR}/net/openldap23-sasl-client
+RUN_DEPENDS=		${LOCALBASE}/lib/libldap-2.3.so.2:${PORTSDIR}/net/openldap23-sasl-client
 CONFLICTS=		${PKGNAMEPREFIX}${PORTNAME}-client-2.*
 .else
-RUN_DEPENDS=		${LOCALBASE}/lib/libldap-2.3.so.1:${PORTSDIR}/net/openldap23-client
+RUN_DEPENDS=		${LOCALBASE}/lib/libldap-2.3.so.2:${PORTSDIR}/net/openldap23-client
 CONFLICTS=		${PKGNAMEPREFIX}${PORTNAME}-sasl-client-2.*
 .endif
 
diff -ru ../openldap23-server-old/distinfo ./distinfo
--- ../openldap23-server-old/distinfo	Wed Oct 19 08:08:10 2005
+++ ./distinfo	Fri Jan  6 15:34:12 2006
@@ -1,2 +1,2 @@
-MD5 (openldap-2.3.11.tgz) = fbde128a8421b8d2ea587a25057a281e
-SIZE (openldap-2.3.11.tgz) = 3657646
+MD5 (openldap-2.3.15.tgz) = 5553c4238c3f7ed114c89aa141e8fdc7
+SIZE (openldap-2.3.15.tgz) = 3714895
diff -ru ../openldap23-server-old/pkg-plist ./pkg-plist
--- ../openldap23-server-old/pkg-plist	Thu Sep 15 06:47:23 2005
+++ ./pkg-plist	Fri Jan  6 15:02:59 2006
@@ -11,38 +11,38 @@
 %%SLAPI%%lib/libslapi.a
 %%SLAPI%%lib/libslapi.so
 %%SLAPI%%lib/libslapi-2.3.so
-%%SLAPI%%lib/libslapi-2.3.so.1
+%%SLAPI%%lib/libslapi-2.3.so.2
 %%MODULES%%@exec mkdir -p %D/libexec/openldap
 %%BACK_BDB%%libexec/openldap/back_bdb.so
 %%BACK_BDB%%libexec/openldap/back_bdb-2.3.so
-%%BACK_BDB%%libexec/openldap/back_bdb-2.3.so.1
+%%BACK_BDB%%libexec/openldap/back_bdb-2.3.so.2
 %%BACK_HDB%%libexec/openldap/back_hdb.so
 %%BACK_HDB%%libexec/openldap/back_hdb-2.3.so
-%%BACK_HDB%%libexec/openldap/back_hdb-2.3.so.1
+%%BACK_HDB%%libexec/openldap/back_hdb-2.3.so.2
 %%BACKEND%%libexec/openldap/back_ldap.so
 %%BACKEND%%libexec/openldap/back_ldap-2.3.so
-%%BACKEND%%libexec/openldap/back_ldap-2.3.so.1
+%%BACKEND%%libexec/openldap/back_ldap-2.3.so.2
 %%BACKEND%%libexec/openldap/back_ldbm.so
 %%BACKEND%%libexec/openldap/back_ldbm-2.3.so
-%%BACKEND%%libexec/openldap/back_ldbm-2.3.so.1
+%%BACKEND%%libexec/openldap/back_ldbm-2.3.so.2
 %%BACKEND%%libexec/openldap/back_meta.so
 %%BACKEND%%libexec/openldap/back_meta-2.3.so
-%%BACKEND%%libexec/openldap/back_meta-2.3.so.1
+%%BACKEND%%libexec/openldap/back_meta-2.3.so.2
 %%BACKEND%%libexec/openldap/back_monitor.so
 %%BACKEND%%libexec/openldap/back_monitor-2.3.so
-%%BACKEND%%libexec/openldap/back_monitor-2.3.so.1
+%%BACKEND%%libexec/openldap/back_monitor-2.3.so.2
 %%BACKEND%%libexec/openldap/back_null.so
 %%BACKEND%%libexec/openldap/back_null-2.3.so
-%%BACKEND%%libexec/openldap/back_null-2.3.so.1
+%%BACKEND%%libexec/openldap/back_null-2.3.so.2
 %%BACK_PERL%%libexec/openldap/back_perl.so
 %%BACK_PERL%%libexec/openldap/back_perl-2.3.so
-%%BACK_PERL%%libexec/openldap/back_perl-2.3.so.1
+%%BACK_PERL%%libexec/openldap/back_perl-2.3.so.2
 %%BACK_SHELL%%libexec/openldap/back_shell.so
 %%BACK_SHELL%%libexec/openldap/back_shell-2.3.so
-%%BACK_SHELL%%libexec/openldap/back_shell-2.3.so.1
+%%BACK_SHELL%%libexec/openldap/back_shell-2.3.so.2
 %%BACK_SQL%%libexec/openldap/back_sql.so
 %%BACK_SQL%%libexec/openldap/back_sql-2.3.so
-%%BACK_SQL%%libexec/openldap/back_sql-2.3.so.1
+%%BACK_SQL%%libexec/openldap/back_sql-2.3.so.2
 libexec/slapd
 libexec/slurpd
 @unexec rmdir %D/libexec/openldap 2>/dev/null || true
diff -ru ../openldap23-server-old/pkg-plist.client ./pkg-plist.client
--- ../openldap23-server-old/pkg-plist.client	Thu Sep 15 06:47:23 2005
+++ ./pkg-plist.client	Fri Jan  6 15:03:04 2006
@@ -22,15 +22,15 @@
 lib/liblber.a
 lib/liblber.so
 lib/liblber-2.3.so
-lib/liblber-2.3.so.1
+lib/liblber-2.3.so.2
 lib/libldap.a
 lib/libldap.so
 lib/libldap-2.3.so
-lib/libldap-2.3.so.1
+lib/libldap-2.3.so.2
 lib/libldap_r.a
 lib/libldap_r.so
 lib/libldap_r-2.3.so
-lib/libldap_r-2.3.so.1
+lib/libldap_r-2.3.so.2
 @comment share/openldap/ucdata/case.dat
 @comment share/openldap/ucdata/cmbcl.dat
 @comment share/openldap/ucdata/comp.dat
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-ports-bugs->vsevolod 
Responsible-Changed-By: edwin 
Responsible-Changed-When: Fri Jan 6 21:54:21 UTC 2006 
Responsible-Changed-Why:  
Over to maintainer 

http://www.freebsd.org/cgi/query-pr.cgi?pr=91422 
State-Changed-From-To: open->feedback 
State-Changed-By: delphij 
State-Changed-When: Wed Mar 22 14:23:03 UTC 2006 
State-Changed-Why:  
Recently vsevolod@ has updated the port to 2.3.19, does the 
problem still persist? 

http://www.freebsd.org/cgi/query-pr.cgi?pr=91422 
State-Changed-From-To: feedback->closed 
State-Changed-By: delphij 
State-Changed-When: Wed Mar 22 16:55:31 UTC 2006 
State-Changed-Why:  
Submitter has confirmed that the recent OpenLDAP update has resolved 
the issue.  Thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=91422 
>Unformatted:
