This discussion is archived
1 Reply Latest reply: Dec 6, 2012 2:36 PM by EJP RSS

Some RST are seen during TCP disconnection when using SSL connection

978467 Newbie
Currently Being Moderated
Some RST are seen during TCP disconnection when using SSL connection

It is expected that the disconnection sequence for a secure connection to be as follow:

client ************************* server
--- alert (warning, close notify) --->
<--- alert (warning, close notify) ---

in any order;
and then:-

--------------- FIN, ACK ------------>
<----------- FIN, ACK ---------------
------------------ ACK ----------------->

Instead of the sequence described above, the TCP connection for a secure connection is closed with an RST.
For instance, Wireshark capture shows that an SSL+SASL TCP connection is closed in the following manner:

client ************************** server
--- alert (warning, close notify) ---->
---------------- FIN, ACK ------------>
<--- alert (warning, close notify) ---
<----------- FIN, ACK ---------------------
------------ RST -----------------> *(This RST message should be investigated, an ACK message was expected)*




Server: OpenLDAP: slapd 2.4.23


Client: (java version "1.6.0_16")

import javax.naming.*;
import javax.naming.directory.*;
import javax.naming.ldap.InitialLdapContext;
import java.util.Hashtable;
import javax.naming.ldap.InitialLdapContext;
import javax.naming.ldap.StartTlsRequest;
import javax.naming.ldap.StartTlsResponse;


class Client {
private static final String DEFAULT_INITIAL_CONTEXT_FACTORY = "com.sun.jndi.ldap.LdapCtxFactory";

public static void main(String[] args) {


//SSL
try {

System.setProperty("javax.net.ssl.keyStore", "c:\\\keystore");
System.setProperty("javax.net.ssl.keyStorePassword", "adminadmin");
System.setProperty("javax.net.ssl.trustStore","c:\\\keystore");
System.setProperty("javax.net.ssl.trustStorePassword","adminadmin");

// Set up environment for creating initial context
Hashtable env = new Hashtable(11);
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");

// Must use the name of the server that is found in its certificate
env.put(Context.PROVIDER_URL, "ldap://1.2.4.4:16415");
env.put(Context.SECURITY_AUTHENTICATION, "simple");

env.put(Context.SECURITY_PRINCIPAL, "cn=manager,dc=operator,dc=com");
env.put(Context.SECURITY_CREDENTIALS, "password");

env.put(Context.SECURITY_PROTOCOL, "ssl");

// Create initial context
InitialLdapContext ctx = new InitialLdapContext(env, null);


// Close the context when we're done
ctx.close();
}
catch(Exception e)
{
e.printStackTrace();
}


}

}


Is it a bug ? Can I expect to have a patch for this issue?

Regards,
Olivier

Edited by: 975464 on 6-Dec-2012 11:21 AM

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points