Re: Client blocking forever in SSL_connect

[Ralf Haferkamp <rhafer@suse.de>]

Am Do 22.12.2005 20:31 schrieb Kurt D. Zeilenga <Kurt@OpenLDAP.org>:

> At 10:19 AM 12/22/2005, Ralf Haferkamp wrote:
> >On Thursday 22 December 2005 18:43, Kurt D. Zeilenga wrote:
> >> At 10:43 AM 12/19/2005, Ralf Haferkamp wrote:
> >> >Hi,
> >> >
> >> >I ran into a problem where an LDAP Client, that uses SSL/TLS (no
> >> > matter whether via ldaps or START_TLS) was indefinitely blocking
> >> > in
> >> > the SSL_connect() call in libraries/libldap/tls.c.
> >> >As libldap mostly uses blocking IO (as far as I understand), the
> >> >SSL_connect call also uses blocking IO (according to the openssl
> >> > docs) and so it can easily block if the server does not reply.
> >> >
> >> >I am wondering if it is possible to add functionallty to the API
> >> > that one can use SSL_connect in a non-blocking fashion. For
> >> > example
> >> > by setting the underlying socket to non-blocking just before the
> >> > SSL_connect call and using select with the
> >> > LDAP_OPT_NETWORK_TIMEOUT
> >> > timeout value and setting it back to blocking IO after the SSL
> >> > handshake completed. Similar to what is done in
> >> > ldap_pvt_connect()
> >> > in libraries/libldap/os-ip.c
> >> >
> >> >Comments or other suggestions?
> >>
> >> What API would you provide to the program to continue the
> >> communication once blocking condition was removed?
> >
> >I am not sure if I understand your question. My orignal idea was to
> >do
> >it without any addtional API and hide the non-blocking SSL-handshake 
> >completely inside the ldap_int_tls_connect() function.
> 
> That seems to imply that ldap_int_tls_connect would then block,
> what would be the point of that?
When using select() inside ldap_int_tls_connect() we could set the
timeout to e.g. LDAP_OPT_NETWORK_TIMEOUT so it would block only for a
certain time and after that return with an appropriate error code.

-- 
Ralf