From HEAD:

+ Fixed libldap disable DH key exchange with DH params (ITS#4354) + Fixed libldap_r pool destroy hang (ITS#4349) + Fixed slapd(8) solaris select(2) issue (ITS#4357)

From HEAD:
+ Fixed libldap disable DH key exchange with DH params (ITS#4354) + Fixed libldap_r pool destroy hang (ITS#4349) + Fixed slapd(8) solaris select(2) issue (ITS#4357)
e536c3ad · Kurt Zeilenga · 2a5d79cb · e536c3ad · e536c3ad · e536c3ad
Commit e536c3ad authored Jan 20, 2006 by Kurt Zeilenga
--- a/CHANGES
+++ b/CHANGES
 OpenLDAP 2.3 Change Log

 OpenLDAP 2.3.19 Engineering
-	Fixed slaptools when --disable-debug (ITS#4351)
+	Fixed libldap disable DH key exchange with DH params (ITS#4354)
+	Fixed libldap_r pool destroy hang (ITS#4349)
+	Build environment
+		Fixed slaptools when --disable-debug (ITS#4351)
+		Fixed slapd(8) solaris select(2) issue (ITS#4357)

 OpenLDAP 2.3.18 Release
 	Fixed slapd syncrepl variable used before set bug (ITS#4331)

--- a/doc/man/man5/slapd.conf.5
+++ b/doc/man/man5/slapd.conf.5
@@ -945,7 +945,11 @@ it is of critical importance that it is protected carefully.
 This directive specifies the file that contains parameters for Diffie-Hellman
 ephemeral key exchange.  This is required in order to use a DSA certificate on
 the server. If multiple sets of parameters are present in the file, all of
-them will be processed.
+them will be processed.  Note that setting this option may also enable
+Anonymous Diffie-Hellman key exchanges in certain non-default cipher suites.
+You should append "!ADH" to your cipher suites if you have changed them
+from the default, otherwise no certificate exchanges or verification will
+be done.
 .TP
 .B TLSRandFile <filename>
 Specifies the file to obtain random bits from when /dev/[u]random

--- a/libraries/libldap/tls.c
+++ b/libraries/libldap/tls.c
@@ -382,7 +382,9 @@ ldap_pvt_tls_init_def_ctx( int is_server )
 			tls_opt_require_cert == LDAP_OPT_X_TLS_ALLOW ?
 			tls_verify_ok : tls_verify_cb );
 		SSL_CTX_set_tmp_rsa_callback( tls_def_ctx, tls_tmp_rsa_cb );
-		SSL_CTX_set_tmp_dh_callback( tls_def_ctx, tls_tmp_dh_cb );
+		if ( tls_opt_dhfile ) {
+			SSL_CTX_set_tmp_dh_callback( tls_def_ctx, tls_tmp_dh_cb );
+		}
 #ifdef HAVE_OPENSSL_CRL
 		if ( tls_opt_crlcheck ) {
 			X509_STORE *x509_s = SSL_CTX_get_cert_store( tls_def_ctx );

--- a/libraries/libldap_r/tpool.c
+++ b/libraries/libldap_r/tpool.c
@@ -378,8 +378,10 @@ ldap_pvt_thread_pool_destroy ( ldap_pvt_thread_pool_t *tpool, int run_pending )
 		? LDAP_INT_THREAD_POOL_FINISHING
 		: LDAP_INT_THREAD_POOL_STOPPING;

-	ldap_pvt_thread_cond_broadcast(&pool->ltp_cond);
-	ldap_pvt_thread_cond_wait(&pool->ltp_cond, &pool->ltp_mutex);
+	if ( pool->ltp_open_count ) {
+		ldap_pvt_thread_cond_broadcast(&pool->ltp_cond);
+		ldap_pvt_thread_cond_wait(&pool->ltp_cond, &pool->ltp_mutex);
+	}

 	while ((ctx = LDAP_STAILQ_FIRST(&pool->ltp_pending_list)) != NULL)
 	{

--- a/servers/slapd/daemon.c
+++ b/servers/slapd/daemon.c
@@ -1857,21 +1857,17 @@ slapd_daemon_task(
 		case -1: {	/* failure - try again */
 				int err = sock_errno();

-				if( err == EBADF
-#ifdef WSAENOTSOCK
-					/* you'd think this would be EBADF */
-					|| err == WSAENOTSOCK
-#endif
-				) {
-					if (++ebadf < SLAPD_EBADF_LIMIT)
-						continue;
-				}
-
 				if( err != EINTR ) {
-					Debug( LDAP_DEBUG_ANY,
-						"daemon: select failed (%d): %s\n",
-						err, sock_errstr(err), 0 );
-					slapd_shutdown = 2;
+					ebadf++;
+
+					/* Don't log unless we got it twice in a row */
+					if ( !( ebadf & 1 )) {
+						Debug( LDAP_DEBUG_ANY,
+							"daemon: select failed count %d err (%d): %s\n",
+							ebadf, err, sock_errstr(err) );
+					}
+					if ( ebadf >= SLAPD_EBADF_LIMIT )
+						slapd_shutdown = 2;
 				}
 			}
 			continue;