After upgrading from dev-libs/openssl-1.0.1c to dev-libs/openssl-1.0.1d, querying an LDAP server via ldaps fails. Reproducible: Always Steps to Reproduce: 1. Upgrade a system using net-nds/openldap-2.4.33-r1 from dev-libs/openssl-1.0.1c to dev-libs/openssl-1.0.1d 2. Try to query an LDAP-server via ldaps, e.g. by running 'ldapsearch' Actual Results: Can't contact LDAP server (-1) Expected Results: Establishing the connection with the LDAP-server using ldaps and performing the request $ ldapsearch -d9 -x ldap_create ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP @@server-hostname@@:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying @@server-ip@@:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 3, err: 19, subject: @@server-cert-info@@ TLS certificate verification: Error, self signed certificate in certificate chain TLS trace: SSL_connect:SSLv3 read server certificate A TLS trace: SSL_connect:SSLv3 read server done A TLS trace: SSL_connect:SSLv3 write client key exchange A TLS trace: SSL_connect:SSLv3 write change cipher spec A TLS trace: SSL_connect:SSLv3 write finished A TLS trace: SSL_connect:SSLv3 flush data TLS trace: SSL_connect:SSLv3 read finished A ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({i) ber: ber_flush2: 14 bytes to sd 3 ldap_result ld 0x20e2650 msgid 1 wait4msg ld 0x20e2650 msgid 1 (infinite timeout) wait4msg continue ld 0x20e2650 msgid 1 all 1 ** ld 0x20e2650 Connections: * host: @@server-hostname@@ port: 636 (default) refcnt: 2 status: Connected last used: Thu Feb 7 11:22:45 2013 ** ld 0x20e2650 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ld 0x20e2650 request count 1 (abandoned 0) ** ld 0x20e2650 Response Queue: Empty ld 0x20e2650 response count 0 ldap_chkResponseList ld 0x20e2650 msgid 1 all 1 ldap_chkResponseList returns ld 0x20e2650 NULL ldap_int_select read1msg: ld 0x20e2650 msgid 1 all 1 ber_get_next TLS trace: SSL3 alert write:fatal:bad record mac ber_get_next failed. ldap_err2string ldap_result: Can't contact LDAP server (-1) ldap_free_request (origid 1, msgid 1) ldap_free_connection 1 1 TLS trace: SSL3 alert write:warning:close notify ldap_free_connection: actually freed $ emerge --info Portage 2.1.11.50 (default/linux/amd64/10.0/desktop, gcc-4.6.3, glibc-2.16.0, 3.7.5 x86_64) ================================================================= System uname: Linux-3.7.5-x86_64-Intel-R-_Core-TM-2_Quad_CPU_Q6600_@_2.40GHz-with-gentoo-2.2 KiB Mem: 8176852 total, 624408 free KiB Swap: 4194300 total, 4193148 free Timestamp of tree: Thu, 07 Feb 2013 01:45:01 +0000 ld GNU ld (GNU Binutils) 2.23.1 app-shells/bash: 4.2_p42 dev-java/java-config: 2.1.12-r1 dev-lang/python: 2.7.3-r3::<unknown repository>, 3.2.3-r2 dev-util/cmake: 2.8.10.2-r1 dev-util/pkgconfig: 0.28 sys-apps/baselayout: 2.2 sys-apps/openrc: 0.11.8 sys-apps/sandbox: 2.6 sys-devel/autoconf: 2.13, 2.69 sys-devel/automake: 1.11.6, 1.12.6, 1.13.1 sys-devel/binutils: 2.23.1 sys-devel/gcc: 4.6.3 sys-devel/gcc-config: 1.8 sys-devel/libtool: 2.4.2 sys-devel/make: 3.82-r4 sys-kernel/linux-headers: 3.7 (virtual/os-headers) sys-libs/glibc: 2.16.0 Repositories: gentoo x-overlays ACCEPT_KEYWORDS="amd64 ~amd64" ACCEPT_LICENSE="*" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -march=x86-64 -pipe -mmmx -msse -msse2 -mssse3" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/config /usr/share/gnupg/qualified.txt /usr/share/polkit-1/actions" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c" CXXFLAGS="-O2 -march=x86-64 -pipe -mmmx -msse -msse2 -mssse3" DISTDIR="/usr/portage/distfiles" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="ftp://ftp.uni-erlangen.de/pub/mirrors/gentoo" LANG="en_US.UTF-8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j5" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage/overlays" SYNC="rsync://rsync.de.gentoo.org/gentoo-portage" USE="X a52 aac acl acpi alsa amd64 avahi berkdb bluetooth branding bzip2 cairo cdda cdr cli consolekit cracklib crypt cups cxx dbus dri dts dvd dvdr emboss encode exif fam firefox flac fortran gdbm gif gpm gtk iconv ipv6 jpeg lcms ldap libnotify mad mmx mng modules mp3 mp4 mpeg mudflap multilib ncurses nls nptl ogg opengl openmp pam pango pcre pdf png policykit ppds python qt3support qt4 readline sdl session spell spice sse sse2 sse3 ssl ssse3 startup-notification svg tcpd tiff truetype udev udisks unicode upower usb vorbis wxwidgets x264 xcb xft xinerama xml xv xvid zeroconf zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="de en" PHP_TARGETS="php5-3" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_2" RUBY_TARGETS="ruby18 ruby19" USERLAND="GNU" VIDEO_CARDS="radeon vesa" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON
Created attachment 338202 [details] /etc/ldap.conf
Comment on attachment 338202 [details] /etc/ldap.conf >base dc=@@subdomain@@,dc=@@domain@@,dc=@@tld@@ >uri ldaps://@@server-hostname@@/ >ldap_version 3 >pam_password exop >nss_initgroups_ignoreusers backup,bin,daemon,games,gnats,irc,landscape,libuuid,list,lp,mail,man,messagebus,news,ntp,proxy,root,sshd,statd,sync,sys,syslog,uucp,whoopsie,www-data
Created attachment 338204 [details] /etc/openldap/ldap.conf
My current workaround is downgrading to dev-libs/openssl-1.0.1c which fixes the issue for me.
*** This bug has been marked as a duplicate of bug 456108 ***