From HEAD:

+       Fixed libldap disable DH key exchange with DH params (ITS#4354)
+       Fixed libldap_r pool destroy hang (ITS#4349)
+       Fixed slapd(8) solaris select(2) issue (ITS#4357)

diff --git a/CHANGES b/CHANGES
index f2cd5f97a267cdc9223f0978dece2ca7bd2da409..a3ab2c296f43a53d20bf825897259626218e1686 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,7 +1,11 @@
 OpenLDAP 2.3 Change Log
 
 OpenLDAP 2.3.19 Engineering
-       Fixed slaptools when --disable-debug (ITS#4351)
+       Fixed libldap disable DH key exchange with DH params (ITS#4354)
+       Fixed libldap_r pool destroy hang (ITS#4349)
+       Build environment
+               Fixed slaptools when --disable-debug (ITS#4351)
+               Fixed slapd(8) solaris select(2) issue (ITS#4357)
 
 OpenLDAP 2.3.18 Release
        Fixed slapd syncrepl variable used before set bug (ITS#4331)

diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5
index 323f338e09caa7374ad0abe3ddc53f0b678d0a44..b9c104307b4018ccc4657db7278e3416a4d4b625 100644 (file)
--- a/doc/man/man5/slapd.conf.5
+++ b/doc/man/man5/slapd.conf.5
@@ -945,7 +945,11 @@ it is of critical importance that it is protected carefully.
 This directive specifies the file that contains parameters for Diffie-Hellman
 ephemeral key exchange.  This is required in order to use a DSA certificate on
 the server. If multiple sets of parameters are present in the file, all of
-them will be processed.
+them will be processed.  Note that setting this option may also enable
+Anonymous Diffie-Hellman key exchanges in certain non-default cipher suites.
+You should append "!ADH" to your cipher suites if you have changed them
+from the default, otherwise no certificate exchanges or verification will
+be done.
 .TP
 .B TLSRandFile <filename>
 Specifies the file to obtain random bits from when /dev/[u]random

diff --git a/libraries/libldap/tls.c b/libraries/libldap/tls.c
index 6739599db6f123f2ecaf5f9cfac0f5880baeebbf..7bf45805c8a45b30c88be21c1423cb6a5dafb8fb 100644 (file)
--- a/libraries/libldap/tls.c
+++ b/libraries/libldap/tls.c
@@ -382,7 +382,9 @@ ldap_pvt_tls_init_def_ctx( int is_server )
                        tls_opt_require_cert == LDAP_OPT_X_TLS_ALLOW ?
                        tls_verify_ok : tls_verify_cb );
                SSL_CTX_set_tmp_rsa_callback( tls_def_ctx, tls_tmp_rsa_cb );
-               SSL_CTX_set_tmp_dh_callback( tls_def_ctx, tls_tmp_dh_cb );
+               if ( tls_opt_dhfile ) {
+                       SSL_CTX_set_tmp_dh_callback( tls_def_ctx, tls_tmp_dh_cb );
+               }
 #ifdef HAVE_OPENSSL_CRL
                if ( tls_opt_crlcheck ) {
                        X509_STORE *x509_s = SSL_CTX_get_cert_store( tls_def_ctx );

diff --git a/libraries/libldap_r/tpool.c b/libraries/libldap_r/tpool.c
index 355543cd3e186fe6f505920b1e3aa5379376454a..1937589b757635d2ee6e88e7bb91ae8e0c58706d 100644 (file)
--- a/libraries/libldap_r/tpool.c
+++ b/libraries/libldap_r/tpool.c
@@ -378,8 +378,10 @@ ldap_pvt_thread_pool_destroy ( ldap_pvt_thread_pool_t *tpool, int run_pending )
                ? LDAP_INT_THREAD_POOL_FINISHING
                : LDAP_INT_THREAD_POOL_STOPPING;
 
-       ldap_pvt_thread_cond_broadcast(&pool->ltp_cond);
-       ldap_pvt_thread_cond_wait(&pool->ltp_cond, &pool->ltp_mutex);
+       if ( pool->ltp_open_count ) {
+               ldap_pvt_thread_cond_broadcast(&pool->ltp_cond);
+               ldap_pvt_thread_cond_wait(&pool->ltp_cond, &pool->ltp_mutex);
+       }
 
        while ((ctx = LDAP_STAILQ_FIRST(&pool->ltp_pending_list)) != NULL)
        {

diff --git a/servers/slapd/daemon.c b/servers/slapd/daemon.c
index 84d6352429424085e4026eb61f4c7dc78f665bec..8a6d1fa905c2636b3fba9ffcc106b973ef705141 100644 (file)
--- a/servers/slapd/daemon.c
+++ b/servers/slapd/daemon.c
@@ -1857,21 +1857,17 @@ slapd_daemon_task(
                case -1: {      /* failure - try again */
                                int err = sock_errno();
 
-                               if( err == EBADF
-#ifdef WSAENOTSOCK
-                                       /* you'd think this would be EBADF */
-                                       || err == WSAENOTSOCK
-#endif
-                               ) {
-                                       if (++ebadf < SLAPD_EBADF_LIMIT)
-                                               continue;
-                               }
-
                                if( err != EINTR ) {
-                                       Debug( LDAP_DEBUG_ANY,
-                                               "daemon: select failed (%d): %s\n",
-                                               err, sock_errstr(err), 0 );
-                                       slapd_shutdown = 2;
+                                       ebadf++;
+
+                                       /* Don't log unless we got it twice in a row */
+                                       if ( !( ebadf & 1 )) {
+                                               Debug( LDAP_DEBUG_ANY,
+                                                       "daemon: select failed count %d err (%d): %s\n",
+                                                       ebadf, err, sock_errstr(err) );
+                                       }
+                                       if ( ebadf >= SLAPD_EBADF_LIMIT )
+                                               slapd_shutdown = 2;
                                }
                        }
                        continue;