Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 2 Aug 2011 22:30:11 GMT
From:      Harry Coin <harrycoin@aol.com>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   ports/159398: openssl slapd tls init def ctx failed: -1
Message-ID:  <201108022230.p72MUBub055325@red.freebsd.org>
Resent-Message-ID: <201108022240.p72MeCis023814@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         159398
>Category:       ports
>Synopsis:       openssl slapd tls init def ctx failed: -1
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Aug 02 22:40:11 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator:     Harry Coin
>Release:        8.2-STABLE
>Organization:
Quiet Fountain LLC
>Environment:
8.2-STABLE generic amd64
>Description:
openldap slapd fails to start at boot time, blocking directory server operations, every time under certain undocumented conditions.

If slapd.conf has

TLSCACertificatePath /some/legal/path/to/CACerts

and there exists even one file in that directory that is protected against reading by user ldap:ldap (such as perhaps the <ca name>.srl file for folk who have their own internal CA root certificates for signing multiple ldap servers, which openssl looks for in the same directory with the certificates) then:

../rc.d/slapd start fails to start, and the debug log has the obscure error

tls init def ctx failed: -1

This, even though all the certificates necessary for slapd operation are there and readable by the ldap user.  
>How-To-Repeat:
1. Use "openssl verify" ... to prove the certificates are good.
2. be sure one file exists in the TLSCACertificatePath directory that is not readable by user ldap:ldap.  The file can be anything, any length, unrelated to slapd operations, not even a certificate at all.

3. As root, run .../libexec/slapd manually and notice proper operations.

4. then notice failure every time running ../libexec/slapd -u ldap -g ldap
or .../rc.d/slapd start
>Fix:
Workaround: Make sure all the files in the certificate directory are readable by user LDAP, no matter what their purpose or content.

Otherwise, it needs a source fix.

>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201108022230.p72MUBub055325>