#48990 Misleading error message for TLS on the clear text port.
Closed: wontfix 4 years ago by mreynolds. Opened 7 years ago by nhosoi.

This message is stored in the error log:
[..] connection - conn=160 fd=64 Incoming BER Element was 3 bytes, max allowable is 2097152 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase.

Additional comment:

whatever I set nsslapd-maxbersize to, I always get that log entry.

Comment by Rich:

I have seen similar issues when a client tries to do SSL to the clear text port e.g. the value of 3 is the TLS major version.

It seems if accidentally use TLS on the clear text port, ber_get_next returns LBER_OVERFLOW or errno is set to ERANGE in ber_get_next.
1036 *tagp = ber_get_next( conn->c_sb, &bytes_scanned, ber );

The error message should be translated to a more appropriate one.

Note: observed in 1.3.5.x.


Metadata Update from @nhosoi:
- Issue set to the milestone: 1.3.6 backlog

7 years ago

I guess we could attempt to detect this by comparing if the ber element size is less than the max allowable, and then log something like "perhaps TLS handshake on plaintext port?"?

Metadata Update from @firstyear:
- Issue close_status updated to: None

6 years ago

Metadata Update from @mreynolds:
- Issue set to the milestone: 1.3.7 backlog (was: 1.3.6 backlog)

6 years ago

Metadata Update from @mreynolds:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1445188

6 years ago

Metadata Update from @mreynolds:
- Custom field reviewstatus adjusted to None
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

4 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/2049

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: fixed)

3 years ago

Login to comment on this ticket.

Metadata