[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#403212: marked as done (Trouble with SSL and certificates)



Your message dated Wed, 16 Nov 2022 01:20:11 +0000
with message-id <E1ov763-0016tp-7a@fasolo.debian.org>
and subject line Bug#1024140: Removed package(s) from unstable
has caused the Debian Bug report #403212,
regarding Trouble with SSL and certificates
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
403212: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=403212
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: libnss-ldap
Version: 238-1


Seems i finally track down a trouble that i've on using
libnss-ldap/libpam-ldap on sarge.
Server are debian sarge, clients debian sarge or ubuntu (same problem
spotted).

Clients connect to (really, two replicated, but does not matter...) a
openldap server via SSL, using an hand-made ROOTCA certificate.

In client i've setup on /etc/ldap/ldap.conf (openldap libs configuration
file) a simple:

	TLS_CACERTDIR   /etc/ssl/certs

and copied the hand-made root CA to /etc/ssl/certs, doing a c_rehash.

If /etc/ssl/certs contains only mine rootca, or some few (2-3) one,
seems that there's no trouble at all.

But if i install the package ca-certificates, populating /etc/ssl/certs
with many certificates, the system simply 'hung' at 100% cpu load for
every simple account or password access, eg a simple 'getent passwd'
choke completely the system for 4-5 minutes, and a Intel Pentium D!!!
Booting (or shutting down) the box in this setup could take half an
hour!!!

Seems that libnss-ldap/libpam-ldap or openldap lib spend a heavy bounch
of CPU cycle 'enumerating' (in some way) the certificates.

Clearly if i set in /etc/ldap/ldap.conf:

	TLS_CACERT      /etc/ssl/certs/MyROOTCA.pem

(eg, i force the certificate to use) problem desappear, but this is far
than optimal, because in general openldap library domain could be that i
need access some other servers, with a proper CA certs...


The strange thing, and so the bugreport, is that if i explicitly set
the certificate of the CA in libnss-ldap.conf/pam_ldap.conf with:

	tls_cacertfile	/etc/ssl/certs/MyROOTCA.pem

this value are totaly ignored, so i cannot define 'general' certificate
dirs for openldap library (with CACERTDIR in ldap.conf) and specific
certificate for libnss/libpam-ldap (in libnss-ldap.conf/pam_ldap.conf).

libnss-ldap/libpam-ldap are not 'strangely' configured, only debconf
and then manually edited to remove host instance and enable uri
instance as:

	uri ldaps://server1.dom.name/ ldaps://server2.dom.name/

i've tried with only one server, nothing changed.


It is some month, if not years, that i 'turn around' this bugs, i hope
only i'm not missing something...

-- 
dott. Marco Gaiarin				    GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''                http://www.sv.lnf.it/
  Polo FVG  -  Via della Bontà, 7 - 33078  -  San Vito al Tagliamento (PN)
  marco.gaiarin(at)sv.lnf.it	  tel +39-0434-842711  fax +39-0434-842797


--- End Message ---
--- Begin Message ---
Version: 265-6+rm

Dear submitter,

as the package libnss-ldap has just been removed from the Debian archive
unstable we hereby close the associated bug reports.  We are sorry
that we couldn't deal with your issue properly.

For details on the removal, please see https://bugs.debian.org/1024140

The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.

Please note that the changes have been done on the master archive and
will not propagate to any mirrors until the next dinstall run at the
earliest.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Scott Kitterman (the ftpmaster behind the curtain)

--- End Message ---

Reply to: