Bug 7218 - LDAP server: stalled connection on LDAP TLS/LDAPs
LDAP server: stalled connection on LDAP TLS/LDAPs
Status: RESOLVED FIXED
Product: Samba 4.0
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB
unspecified
Other Linux
: P3 major
: ---
Assigned To: Andrew Tridgell
samba4-qa@samba.org
:
Depends on:
Blocks: 6600
  Show dependency treegraph
 
Reported: 2010-03-06 08:42 UTC by Matthieu Patou
Modified: 2011-03-10 08:48 UTC (History)
4 users (show)

See Also:


Attachments
test postmap configuration file (185 bytes, application/octet-stream)
2010-03-06 08:43 UTC, Matthieu Patou
no flags Details
tcpdump capture on the same computer (7.40 KB, application/octet-stream)
2010-03-06 08:46 UTC, Matthieu Patou
no flags Details
tcpdump capture from another computer (6.07 KB, application/octet-stream)
2010-03-06 08:52 UTC, Matthieu Patou
no flags Details
Patch proposal (1.05 KB, patch)
2010-11-19 15:50 UTC, Matthieu Patou
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Matthieu Patou 2010-03-06 08:42:25 UTC
The problem occur when using postmap (from postfix) to query samba 4 ldap to construct postfix table.

It occurs only when using TLS or LDAPS and only when the client and the server are on the same computer.
The problem occurs with and without password.

Here is the command used: postmap  -q mat ldap:/home/mat/test.cf

Where /home/mat/test.cf is a file for postmap to instruct it how to query the ldap server.

I attach 2 traces: 1 made from the same computer and one made from another computer.

It seems that the problem is that the server didn't reply to "Encrypted alert" from the client.

This problem is present on different version of samba (alpha10, alpha11, current git)
Comment 1 Matthieu Patou 2010-03-06 08:43:46 UTC
Created attachment 5464 [details]
test postmap configuration file

replace the IP of the server by the one you are testing and the base domain (DC=...) as well
Comment 2 Matthieu Patou 2010-03-06 08:46:32 UTC
Created attachment 5465 [details]
tcpdump capture on the same computer
Comment 3 Matthieu Patou 2010-03-06 08:52:30 UTC
Created attachment 5466 [details]
tcpdump capture from another computer
Comment 4 Matthias Dieter Wallnöfer 2010-03-06 10:24:16 UTC
Exactly this problem is a blocker for my passwords work. We really need to get this fixed since otherwise we cannot perform password change tests over LDAPS against Windows Server. I think abartlet is working on it.
Comment 5 Matthieu Patou 2010-03-06 11:53:59 UTC
Maybe it's easy to bisect this pb ?

I have it on a 8d3fc23157376af5657a09324509abace3c5ee4f installation.
I'm pretty sure I didn't had the problem with c3632e4efc506a401a9d75c4d75b14a1a220caa2 (alpha7).

It leave a number of humm 3160 revision to test :-)
Comment 6 Matthieu Patou 2010-03-06 15:04:22 UTC
I did the bisect.

git-bisect start
# good: [c3632e4efc506a401a9d75c4d75b14a1a220caa2] Mark as the Samba 4.0 alpha7 release
git-bisect good c3632e4efc506a401a9d75c4d75b14a1a220caa2
# bad: [ca2c645156a288ca35c5120e95bb9a878a889848] Fix build of Samba4 from tarball generated by mkrelease.sh
git-bisect bad ca2c645156a288ca35c5120e95bb9a878a889848
# skip: [6b167ae53b1774950d76a15ba92d9f24e59bc565] Use a switch statement in charset_name()
git-bisect skip 6b167ae53b1774950d76a15ba92d9f24e59bc565
# skip: [8cba97a16459eb1b1dc18c85e542ca571490ec5f] Fix a winbind memleak
git-bisect skip 8cba97a16459eb1b1dc18c85e542ca571490ec5f
# bad: [4c6547e8a1f872e5bc1e132ec4ccc6f634166932] Move 16 bytes from data to r/o text segment
git-bisect bad 4c6547e8a1f872e5bc1e132ec4ccc6f634166932
# good: [266b79e004470ae1859085ca018fd6aff6836059] s3-samr: implement more info levels in _samr_QueryDomainInfo().
git-bisect good 266b79e004470ae1859085ca018fd6aff6836059
# bad: [6eadb8a2855c729e742c72afcc9585adccc7bb12] s3: refactor utility function to handle splitting the directory from the mask
git-bisect bad 6eadb8a2855c729e742c72afcc9585adccc7bb12
# bad: [1a7898e3a8f2c2e2cacd645b97da88054df931ae] s3/getdcname:  Fix 'net' crash.
git-bisect bad 1a7898e3a8f2c2e2cacd645b97da88054df931ae
# bad: [3e1b6487e76232756b854fb28a9d28717ae7d1d3] Fix detection of "enum FAMCodes"
git-bisect bad 3e1b6487e76232756b854fb28a9d28717ae7d1d3
# bad: [6ff09b323e1bb3b82a27f6015ba94ccce36993af] s3:libsmb: return NT_STATUS_CONNECTION_INVALID if the fd is -1
git-bisect bad 6ff09b323e1bb3b82a27f6015ba94ccce36993af
# bad: [54d925a30469f9318717b8e6da7b433efd4efd70] s4-smbtorture: skip SetMemberAttributesOfGroup in RPC-SAMR for s3 as well.
git-bisect bad 54d925a30469f9318717b8e6da7b433efd4efd70
# bad: [418a2eeae8912d14e32b0119232b897e78221037] Don't require external use of internal enum smb_thread_lock_type
git-bisect bad 418a2eeae8912d14e32b0119232b897e78221037
# bad: [705f36b804093f656498f7963768a418672cd422] s3-samr: Fix SetUserInfo level 7 when there has been no name change.
git-bisect bad 705f36b804093f656498f7963768a418672cd422
# bad: [3d6f4a7af7b91d9f9ac9fd0b00af63bb23e371f7] Fix bug #6330 - DFS doesn't work on AIX. Jeremy.
git-bisect bad 3d6f4a7af7b91d9f9ac9fd0b00af63bb23e371f7
# bad: [7d6e4c7e950592112d09f7d98393c41e8097bba8] s3:smbd: fix the fix for mapped IPv4 address handling in release_ip().
git-bisect bad 7d6e4c7e950592112d09f7d98393c41e8097bba8
# good: [66cf7e1835d5d711c91d0541b05eb11b61267ba8] s3-selftest: run RPC-LSA-GETUSER against Samba 3.
git-bisect good 66cf7e1835d5d711c91d0541b05eb11b61267ba8
Comment 7 Matthieu Patou 2010-03-06 15:56:32 UTC
In fact no ... the script yield a false positive ... 
Comment 8 Matthieu Patou 2010-03-06 17:53:21 UTC
Reruning a bisect seems that we have the problem since alpha7.

After some bisect it seems that the pb is bb7e6f0f51a91e461c18efd392af3e4fc6174c34 :  Worked around a problem with select/poll/epoll and gnutls

Giving the title of the change and it's content it seems to be very good candidate!

# good: [0118b2301b29af0f22845c7e3ebb5df74ba13aeb] Don't use TMPDIR as variable, it's already used for other purposes. Don't include GIT revision in release version strings.
git-bisect good 0118b2301b29af0f22845c7e3ebb5df74ba13aeb
# bad: [c3632e4efc506a401a9d75c4d75b14a1a220caa2] Mark as the Samba 4.0 alpha7 release
git-bisect bad c3632e4efc506a401a9d75c4d75b14a1a220caa2
# good: [894d05bc41c683a47590cd237194e2b3b7ec0e67] s3-spoolss: restore delete_a_form().
git-bisect good 894d05bc41c683a47590cd237194e2b3b7ec0e67
# good: [ce71a7c9a753b8f2ec45ba35a5c46c78cacf6739] s3-spoolss: use pidl for _spoolss_ResetPrinter.
git-bisect good ce71a7c9a753b8f2ec45ba35a5c46c78cacf6739
# bad: [ca24822234d9dc77dbe3f351d6dbab5558efac39] Fix GDB_PROVISION mode
git-bisect bad ca24822234d9dc77dbe3f351d6dbab5558efac39
# bad: [2ca48d3740c40be2142ca7e7ad88aabdaa822c06] Fix printf type warning. Jeremy.
git-bisect bad 2ca48d3740c40be2142ca7e7ad88aabdaa822c06
# bad: [3089e004fe9d8f4cfee919a95f84b4611837ec87] s3: re-run make samba3-idl.
git-bisect bad 3089e004fe9d8f4cfee919a95f84b4611837ec87
# bad: [7f6618a3deb77fc5c4724c598ecacdbf87c5e9c4] tevent: rename tevent_req_set_timeout() => tevent_req_set_endtime()
git-bisect bad 7f6618a3deb77fc5c4724c598ecacdbf87c5e9c4
# good: [74940606f715bfc9d99ded2fb1d1da02d037609a] docs: extend the idmap_rid manpage
git-bisect good 74940606f715bfc9d99ded2fb1d1da02d037609a
# good: [b1ff79dbb246e717fc4a62c7a615ca7ce9ccc302] fixed some of the TLS problems
git-bisect good b1ff79dbb246e717fc4a62c7a615ca7ce9ccc302
# bad: [48ba64010046bece3b54009131f88c851ec82047] Merge branch 'master' of ssh://git.samba.org/data/git/samba into master-devel
git-bisect bad 48ba64010046bece3b54009131f88c851ec82047
# bad: [bb7e6f0f51a91e461c18efd392af3e4fc6174c34] Worked around a problem with select/poll/epoll and gnutls
git-bisect bad bb7e6f0f51a91e461c18efd392af3e4fc6174c34
Comment 10 Matthieu Patou 2010-03-08 03:29:47 UTC
Metze, 
Do you want me to try this branch and see if we have the same pb ? 
Comment 11 Stefan Metzmacher 2010-03-08 03:40:15 UTC
No, it's just a start... (I think it compiles but nothing more:-)
Comment 12 Stefan Metzmacher 2010-03-08 03:41:38 UTC
I think we should first try to fix the existing code (shouldn't be too
hard to trigger the Alert response)
Comment 13 Matthias Dieter Wallnöfer 2010-03-24 11:24:29 UTC
Okay, ekacnet. My problem has been fixed by http://gitweb.samba.org/samba.git/?p=samba.git;a=commitdiff;h=a2286bad67a772d290fead9832b7ca52877c40b2 and yours?
Comment 14 Matthias Dieter Wallnöfer 2010-03-28 13:25:08 UTC
Well - as you said ekacnet - the problem persists and was unrelated to mine.
Comment 15 Matthias Dieter Wallnöfer 2010-05-03 10:28:15 UTC
tridge, could you look into this?
Comment 16 Matthieu Patou 2010-05-03 11:21:46 UTC
I  remember that andrew told me that metze has started something related to socket that should solvethe pb in the long term (tstream)
Comment 17 Marcel Ritter 2010-09-30 13:05:57 UTC
Seems like the tstream/tls implementation is now available:

http://gitweb.samba.org/?p=samba.git;a=commit;h=ca360fba107f7948c52a5f7595ab0f99c8142e07

The problem with TLS/SSL connection however still
exists.
Comment 18 Matthias Dieter Wallnöfer 2010-09-30 13:35:06 UTC
Thanks! We really appreciate people who help to keep bug reports up-to-date.

(In reply to comment #17)
> Seems like the tstream/tls implementation is now available:
> 
> http://gitweb.samba.org/?p=samba.git;a=commit;h=ca360fba107f7948c52a5f7595ab0f99c8142e07
> 
> The problem with TLS/SSL connection however still
> exists.
> 

Comment 19 Stefan Metzmacher 2010-09-30 23:27:22 UTC
There's still this commit missing

http://gitweb.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=eafc4677cef045be

I haven't pushed it yet, because it needs a lot of testing.

It would be nice if you could test that one on top of master.
I'd really like to see if starttls works, I only tested SASL and LDAPS.
It would be great if someone could upload captures of postfix once using
StartTLS and once using LDAPS, as well as plain LDAP. 

metze
Comment 20 Marcel Ritter 2010-10-01 02:11:07 UTC
On your setup ldaps worked?

Just to make sure I got it right: master is
git://git.samba.org/samba.git, right?

After applying patch http://gitweb.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=eafc4677cef045be
to master - SSL handshake seems to be completely broken on my test machine.

Simple test(s) to reproduce:

# openssl s_client -connect atom:636
CONNECTED(00000003)
depth=0 /O=Samba Administration/OU=Samba - temporary autogenerated certificate/CN=ATOM.linex.r00t.la
verify error:num=18:self signed certificate
verify return:1
depth=0 /O=Samba Administration/OU=Samba - temporary autogenerated certificate/CN=ATOM.linex.r00t.la
verify return:1
9716:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:

# ldapsearch -x -H ldaps://atom
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Comment 21 Matthieu Patou 2010-10-01 17:39:49 UTC
Metze,

With a recent tree: 2:35AM  on 2/10/2010 with your patch I'm ok with my postfix pb (I run it in 3 minutes loop without pb).

for openssl I have this:

 openssl s_client -connect ares.home.matws.net:636
CONNECTED(00000003)
depth=0 /O=Samba Administration/OU=Samba - temporary autogenerated certificate/CN=ARES.home.matws.net
verify error:num=18:self signed certificate
verify return:1
depth=0 /O=Samba Administration/OU=Samba - temporary autogenerated certificate/CN=ARES.home.matws.net
verify return:1
---
Certificate chain
 0 s:/O=Samba Administration/OU=Samba - temporary autogenerated certificate/CN=ARES.home.matws.net
   i:/O=Samba Administration/OU=Samba - temporary autogenerated certificate/CN=ARES.home.matws.net
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICnDCCAgegAwIBAgIEfSKmTDALBgkqhkiG9w0BAQUwczEdMBsGA1UEChMUU2Ft
YmEgQWRtaW5pc3RyYXRpb24xNDAyBgNVBAsTK1NhbWJhIC0gdGVtcG9yYXJ5IGF1
dG9nZW5lcmF0ZWQgY2VydGlmaWNhdGUxHDAaBgNVBAMTE0FSRVMuaG9tZS5tYXR3
cy5uZXQwHhcNMTAxMDAxMTgwMzQxWhcNMTIwODMxMTgwMzQxWjBzMR0wGwYDVQQK
ExRTYW1iYSBBZG1pbmlzdHJhdGlvbjE0MDIGA1UECxMrU2FtYmEgLSB0ZW1wb3Jh
cnkgYXV0b2dlbmVyYXRlZCBjZXJ0aWZpY2F0ZTEcMBoGA1UEAxMTQVJFUy5ob21l
Lm1hdHdzLm5ldDCBnDALBgkqhkiG9w0BAQEDgYwAMIGIAoGA6qsW65SEi2avIOJ1
w9ENWu+GxWhYNXUq2oJOh5nuo+ZaXvtRqs7zRZdHdVwhWQGEqa3y4W4RbEvcC9mE
xNhVE5+xqBivwlOG33sqoWn2dBnB7ccy+xmr+zbVURyr1W5Yntfx+phpCjctfYFr
OefzE7mTg+hqKuyULlUq7UxOIn8CAwEAAaNEMEIwDAYDVR0TAQH/BAIwADATBgNV
HSUEDDAKBggrBgEFBQcDATAdBgNVHQ4EFgQUKWFPPrL8BEoBj774Dz/EQLLO6wsw
CwYJKoZIhvcNAQEFA4GBAEhWAJXROsKmgIld7ku60R4Dou3smiGQPYmsARJBf9Je
qxDHg1JJyFMXazIla8PJz1tTpPo9DYrBgtbTR6ajtRs5IPG8s78zSOoa5AFEVeMJ
fEI2jKIGgi/4l2ObzSBBWPjqnqryS4dECj9wbe+fqKgI6T0Jvsu8/RyxUUNqZewi
-----END CERTIFICATE-----
subject=/O=Samba Administration/OU=Samba - temporary autogenerated certificate/CN=ARES.home.matws.net
issuer=/O=Samba Administration/OU=Samba - temporary autogenerated certificate/CN=ARES.home.matws.net
---
Acceptable client certificate CA names
/O=Samba Administration/OU=Samba - temporary autogenerated certificate/CN=ARES.home.matws.net
---
SSL handshake has read 1465 bytes and written 331 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 97DB807BF97CE777BE966C54287049E09BC79D3A57B439AC7D19E798EADA07B2
    Session-ID-ctx: 
    Master-Key: 8F2C821FA155F694F987239E8D6367C77EDC5CEA1C26747B565C2E5D10C07E35FDBFE35A61366A5CAC40597848F3726E
    Key-Arg   : None
    Start Time: 1285972490
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---


but as I told you already I have time to time a double free error.
Comment 22 Marcel Ritter 2010-10-03 12:37:21 UTC
Hi Matthieu,

what OS/gnutls version are you testing on?

On my SLES 11 box, with gnutls 2.4.1, "openssl s_client ..." still fails with patch applied.

Samba reports this:

TLS ../lib/tls/tls_tstream.c:1213 - GnuTLS internal error.
ldapsrv_terminate_connection: ldapsrv_accept_tls_loop: tstream_tls_accept_recv() - 5:Input/output error - disconnecting
Terminating connection - 'ldapsrv_accept_tls_loop: tstream_tls_accept_recv() - 5:Input/output error'
single_terminate: reason[ldapsrv_accept_tls_loop: tstream_tls_accept_recv() - 5:Input/output error]
Comment 23 Matthieu Patou 2010-10-03 13:31:00 UTC
Marcel,

I'm on ubuntu 10.04 
* libgnutls26 2.8.5-2
* libgnutls-dev 2.8.5-2
Comment 24 Marcel Ritter 2010-10-03 15:25:08 UTC
Just downloaded an compiled gnutls-2.10.2, set LD_LIBRARY_PATH, started samba 4, and finally: TLS/SSL works fine - no more errors.

So I tried some more versions to find out in what gnutls version things got fixed 

Tested versions:
2.4.1 -> broken
2.4.2 -> broken
2.6.0 -> broken
2.8.0 -> broken
2.8.1 -> broken
2.8.2 -> OK
2.8.3 -> OK
2.8.4 -> OK
2.8.5 -> OK
2.8.6 -> OK
2.10.0 -> broken
2.10.1 -> broken
2.10.2 -> OK

Searching gnutls git, I guess those are the two
patches fixing the problem. Maybe this helps to
find a work-around to make samba4 work with all
versions of gnutls:

Change 2.8.1 -> 2.8.2:
http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=28fb34099edaf62e5472cc6e5e2749fed369ea01

Change 2.10.1 -> 2.10.2:
http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=0d07d8432d57805a8354ebd6c1e7829f3ab159cb
Comment 25 Stefan Metzmacher 2010-10-04 09:13:15 UTC
Thanks I got that reproduced with gnutls-2.4.1.

But I don't know how we can work arround it...
Comment 26 Stefan Metzmacher 2010-10-08 05:54:08 UTC
Ok, I found a workaround...

The problem is that gnutls_handshake() triggers tstream_tls_push_function()
more than one time and it doesn't expect to get EAGAIN.
Now we'll wait for the next event cycle to trigger the write
and let the tstream_tls_push_function fill the buffer.

Comment 27 Matthias Dieter Wallnöfer 2010-10-08 07:34:11 UTC
Can this be marked as "FIXED"?
Comment 28 Matthieu Patou 2010-10-08 13:18:41 UTC
Let's give us the test with different version, as I observed different behavior in the handshake with the previous patch.
Comment 29 Marcel Ritter 2010-10-10 10:28:28 UTC
Seems Matthieu was correct - problem is solved for
some gnutls versions, but not all:
 
Tested versions:
2.4.1 -> OK
2.4.2 -> OK
2.6.0 -> OK
2.8.0 -> broken
2.8.1 -> broken
2.8.2 -> OK
2.8.3 -> OK
2.8.4 -> OK
2.8.5 -> OK
2.8.6 -> OK
2.10.0 -> broken
2.10.1 -> broken
2.10.2 -> OK
Comment 30 Matthias Dieter Wallnöfer 2010-10-10 11:05:28 UTC
Well, but it improved quiet a bit (comment #24). But is for example release 2.8.1 a minor release of 2.8? So we could argue that in order to get this working simply upgrade to the latest minor release.
Or other question: are the mentioned broken releases still in use by important Linux/UNIX distributions?

(In reply to comment #29)
> Tested versions:
> 2.4.1 -> OK
> 2.4.2 -> OK
> 2.6.0 -> OK
> 2.8.0 -> broken
> 2.8.1 -> broken
> 2.8.2 -> OK
> 2.8.3 -> OK
> 2.8.4 -> OK
> 2.8.5 -> OK
> 2.8.6 -> OK
> 2.10.0 -> broken
> 2.10.1 -> broken
> 2.10.2 -> OK
> 

Comment 31 Matthieu Patou 2010-11-19 15:50:30 UTC
Created attachment 6077 [details]
Patch proposal
Comment 32 Matthieu Patou 2010-11-19 16:06:20 UTC
Hi marcel,

can you try this patch and see if it fix the broken version, it fix the pb on ubuntu 10.10 with gnutls 2.9.10.

The idea of this patch is to increase the size of buffer of tstream so that the different step of the SSL handcheck are pushed in the same packet as the different implementation of gnutls time to time fails to have  a correct behavior when we chunk each step in a different package
Comment 33 Andrew Bartlett 2010-11-21 04:18:19 UTC
If increasing the buffer 'fixes' it, why shouldn't we just create a dynamic buffer here and hold a potentially infinite buffer?  Then we would not need to bother GnuTLS with the EAGAIN error that it clearly doesn't handle so well.
Comment 34 Marcel Ritter 2010-11-29 02:18:35 UTC
Hi, the proposed patch fixes the problems with early 2.10 releases, not for 2.8.0/1 (and 2.2.4)

(number at end of line is exit status of ldapsearch)

using gnutls version: 2.2.4 -> 254
using gnutls version: 2.2.5 -> 0
using gnutls version: 2.4.0 -> 0
using gnutls version: 2.4.1 -> 0
using gnutls version: 2.4.2 -> 0
using gnutls version: 2.4.3 -> 0
using gnutls version: 2.6.0 -> 0
using gnutls version: 2.6.1 -> 0
using gnutls version: 2.6.2 -> 0
using gnutls version: 2.6.3 -> 0
using gnutls version: 2.6.4 -> 0
using gnutls version: 2.6.5 -> 0
using gnutls version: 2.6.6 -> 0
using gnutls version: 2.8.0 -> 255
using gnutls version: 2.8.1 -> 255
using gnutls version: 2.8.2 -> 0
using gnutls version: 2.8.3 -> 0
using gnutls version: 2.8.4 -> 0
using gnutls version: 2.8.5 -> 0
using gnutls version: 2.8.6 -> 0
using gnutls version: 2.10.0 -> 0 (without patch: 255)
using gnutls version: 2.10.1 -> 0 (without patch: 255)
using gnutls version: 2.10.2 -> 0
using gnutls version: 2.10.3 -> 0
Comment 35 Matthias Dieter Wallnöfer 2010-12-03 04:06:04 UTC
Marcel, but do you agree to integrate this patch?

(In reply to comment #34)
> Hi, the proposed patch fixes the problems with early 2.10 releases, not for
> 2.8.0/1 (and 2.2.4)
> 
> (number at end of line is exit status of ldapsearch)
> 
> using gnutls version: 2.2.4 -> 254
> using gnutls version: 2.2.5 -> 0
> using gnutls version: 2.4.0 -> 0
> using gnutls version: 2.4.1 -> 0
> using gnutls version: 2.4.2 -> 0
> using gnutls version: 2.4.3 -> 0
> using gnutls version: 2.6.0 -> 0
> using gnutls version: 2.6.1 -> 0
> using gnutls version: 2.6.2 -> 0
> using gnutls version: 2.6.3 -> 0
> using gnutls version: 2.6.4 -> 0
> using gnutls version: 2.6.5 -> 0
> using gnutls version: 2.6.6 -> 0
> using gnutls version: 2.8.0 -> 255
> using gnutls version: 2.8.1 -> 255
> using gnutls version: 2.8.2 -> 0
> using gnutls version: 2.8.3 -> 0
> using gnutls version: 2.8.4 -> 0
> using gnutls version: 2.8.5 -> 0
> using gnutls version: 2.8.6 -> 0
> using gnutls version: 2.10.0 -> 0 (without patch: 255)
> using gnutls version: 2.10.1 -> 0 (without patch: 255)
> using gnutls version: 2.10.2 -> 0
> using gnutls version: 2.10.3 -> 0
> 

Comment 36 Stefan Metzmacher 2010-12-03 04:17:49 UTC
I've created a patch with a dynamic buffer, see
http://gitweb.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=a051005679b0e64c

metze
Comment 37 Matthieu Patou 2010-12-03 07:21:14 UTC
The dynamic buffer patch works for me on ubuntu 10.10 
Comment 38 Marcel Ritter 2010-12-04 03:11:28 UTC
Results of a test run including the "dynamic buffer size" patch:

using gnutls version: 2.2.4 -> 254
using gnutls version: 2.2.5 -> 0
using gnutls version: 2.4.0 -> 0
using gnutls version: 2.4.1 -> 0
using gnutls version: 2.4.2 -> 0
using gnutls version: 2.4.3 -> 0
using gnutls version: 2.6.0 -> 0
using gnutls version: 2.6.1 -> 0
using gnutls version: 2.6.2 -> 0
using gnutls version: 2.6.3 -> 0
using gnutls version: 2.6.4 -> 0
using gnutls version: 2.6.5 -> 0
using gnutls version: 2.6.6 -> 0
using gnutls version: 2.8.0 -> 255
using gnutls version: 2.8.1 -> 255
using gnutls version: 2.8.2 -> 0
using gnutls version: 2.8.3 -> 0
using gnutls version: 2.8.4 -> 0
using gnutls version: 2.8.5 -> 0
using gnutls version: 2.8.6 -> 0
using gnutls version: 2.10.0 -> 0
using gnutls version: 2.10.1 -> 0
using gnutls version: 2.10.2 -> 0
using gnutls version: 2.10.3 -> 0
Comment 39 Stefan Metzmacher 2010-12-04 04:43:05 UTC
Ok, the dynamic buffer fix is on its way to master.

Can someone debug the still broken versions?
Comment 40 Marcel Ritter 2010-12-04 11:10:40 UTC
The following discussion is about the problem
existing in gnutls-2.8.0/1:

http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3668

Applying the mentioned gnutls patch to 2.8.0 or 2.8.1
makes these versions work. Maybe this helps to debug the
samba tsl problems:

http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commit;h=90bff7862c48c9a628e797b62ee9de6f34e0601f
Comment 41 Stefan Metzmacher 2010-12-14 09:02:31 UTC
Can you test this
http://gitweb.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master4-tls-tstream
fixes more versions
Comment 42 Marcel Ritter 2010-12-17 06:59:02 UTC
Just ran the test with latest samba git and your
two patches applied:

  s4:tls_tstream: also use a dynamic buffer for the pul...
  s4:tls_tstream: fix partial reads, so that the gnutls... 

Results are the same as above (s. Comment #38)
Comment 43 Matthias Dieter Wallnöfer 2011-01-18 14:48:49 UTC
Btw. the two mentioned patches have made it into "master".
Comment 44 Matthias Dieter Wallnöfer 2011-02-04 02:01:00 UTC
Marcel, would you still like to keep this open?
Do you strictly depend on the broken versions of GnuTLS? Otherwise we could simply suggest our users to update to the latest minor release (e.g. 2.2.5, 2.8.6).
Comment 45 Marcel Ritter 2011-02-04 02:27:07 UTC
Hi Matthias,

I think it's not necessary to keep this open - it
really looks like a gnutls bug, so there's no real
way for samba to fix it.

However it'd be nice if "(waf) configure" or samba
itself could check the gnutls version. Or (even better)
tries to establish a ssl/tsl connection at startup
and give a hint about broken gnutls versions if this
connection fails. Just an idea :-)

PS: Keep up the great work!


Comment 46 Matthias Dieter Wallnöfer 2011-02-05 05:50:58 UTC
Marcel,

at the moment we've the following checks:
> Checking for gnutls >= 1.4.0                                            : yes 
> Checking for library gnutls                                             : yes 
> Checking for gnutls_global_init                                         : ok  
> Checking for header gnutls/x509.h                                       : yes 
> Checking for variable gnutls_x509_crt_set_version                       : ok  
> Checking for variable gnutls_x509_crt_set_subject_key_id                : ok  
> Checking for gnutls_datum                                               : ok  
> Checking for gnutls_datum_t                                             : ok  

And these are derived by the WAF file "source4/lib/tls/wscript". Probably there could be made some enhancements (exclude the broken versions).
The other idea to prove the fitness at runtime by trying to execute a short test program is also possible in WAF - but the code has to be written by someone. Would you like to provide us something? Basically it should be a short C snippet - "lib/replace/wscript" CHECK_CODE paragraphs show the functionality (return 0 is success, != 0 failure).
Comment 47 Matthias Dieter Wallnöfer 2011-02-15 15:42:45 UTC
Marcel, is it possible for you to write such a patch or do I have to find someone else?
Comment 48 Marcel Ritter 2011-02-16 02:10:40 UTC
Hi Matthias,

during the tests on this bug I had a few looks into the gnutls code, and I don't think that I'll find the time to truly understand it enough to write a clean check in the foreseeable future, sorry.

Marcel
Comment 49 Matthias Dieter Wallnöfer 2011-03-10 08:48:33 UTC
The patch should soon land in "master".

Finally got this long bug report fixed.