1 Reply Latest reply: Dec 6, 2012 4:36 PM by EJP RSS

    Some RST are seen during TCP disconnection when using SSL connection

      Some RST are seen during TCP disconnection when using SSL connection

      It is expected that the disconnection sequence for a secure connection to be as follow:

      client ************************* server
      --- alert (warning, close notify) --->
      <--- alert (warning, close notify) ---

      in any order;
      and then:-

      --------------- FIN, ACK ------------>
      <----------- FIN, ACK ---------------
      ------------------ ACK ----------------->

      Instead of the sequence described above, the TCP connection for a secure connection is closed with an RST.
      For instance, Wireshark capture shows that an SSL+SASL TCP connection is closed in the following manner:

      client ************************** server
      --- alert (warning, close notify) ---->
      ---------------- FIN, ACK ------------>
      <--- alert (warning, close notify) ---
      <----------- FIN, ACK ---------------------
      ------------ RST -----------------> *(This RST message should be investigated, an ACK message was expected)*

      Server: OpenLDAP: slapd 2.4.23

      Client: (java version "1.6.0_16")

      import javax.naming.*;
      import javax.naming.directory.*;
      import javax.naming.ldap.InitialLdapContext;
      import java.util.Hashtable;
      import javax.naming.ldap.InitialLdapContext;
      import javax.naming.ldap.StartTlsRequest;
      import javax.naming.ldap.StartTlsResponse;

      class Client {
      private static final String DEFAULT_INITIAL_CONTEXT_FACTORY = "com.sun.jndi.ldap.LdapCtxFactory";

      public static void main(String[] args) {

      try {

      System.setProperty("javax.net.ssl.keyStore", "c:\\\keystore");
      System.setProperty("javax.net.ssl.keyStorePassword", "adminadmin");

      // Set up environment for creating initial context
      Hashtable env = new Hashtable(11);
      env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");

      // Must use the name of the server that is found in its certificate
      env.put(Context.PROVIDER_URL, "ldap://");
      env.put(Context.SECURITY_AUTHENTICATION, "simple");

      env.put(Context.SECURITY_PRINCIPAL, "cn=manager,dc=operator,dc=com");
      env.put(Context.SECURITY_CREDENTIALS, "password");

      env.put(Context.SECURITY_PROTOCOL, "ssl");

      // Create initial context
      InitialLdapContext ctx = new InitialLdapContext(env, null);

      // Close the context when we're done
      catch(Exception e)



      Is it a bug ? Can I expect to have a patch for this issue?


      Edited by: 975464 on 6-Dec-2012 11:21 AM