Environment
Novell NetWare 6.5 Support Pack 1
Novell eDirectory 8.7.3 for NetWare 6.5
NTLS 1.80 - OpenSSL
Situation
Error in LDAP OpenSSL client: -5875 SSL3 Alert Bad Record Mac
NLDAP quits responding to LDAPS client requests. Have to unload and
reload NLDAP to resolve.
Error in Dstrace screen with +ldap flag:
TLS accept failure 1 on
connection 0x525b60e0, setting err = -5875. Error stack:
error:1408F455:SSL
routines:SSL3_GET_RECORD:decryption failed or bad record
macError from OpenSSL client:
ldap_bind: Can't contact LDAP
server (-1)
additional info: error:140943FC:SSL
routines:SSL3_READ_BYTES:sslv3 alert bad record mac
Resolution
Issue 1: This has been resolved in NTLS version 10810.05 which can
be found in the field test file secupd6.tgz. This file is currently
in beta as field test file ss1012.tgz.
Issue 2: This is addressed in secupd7.tgz and higher as well as
in the new NTLS contained within eDir8736.exe.
Additional Information
This is actually two issues that will typically only be seen on MP
enabled servers:
1. NTLS is unable to detect the nici error and re-create the
context on the fly. This is due to the private key's context being
destoyed by a NICI error. As a 5875 error is fairly generic: to
determine if this is the issue:
a. Performa dstrace with the ldap flag turned
on to ensure this error is being seen only on SSL
connections.
b. While this is occurring make sure that all SSL LDAP
connections are failing but cleartext connections succeed.
c. Verify that unloading and re-loading NLDAP resolves
the situation.
2. NTLS is causing the NICI error: NTLS did not have the
proper protection to prevent two threads from attempting to use the
same context.
Formerly known as TID# 10093750
Formerly known as TID# NOVL97955