Re: problems on EAGAIN? (was: TLS connect from remote host to slapd hangs)

[bj@zuto.de (Rainer Clasen)]

Howard Chu wrote:
> > -----Original Message-----
> > From: owner-openldap-software@OpenLDAP.org
> > [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Rainer Clasen
> 
> > Rainer Clasen wrote:
> > > I can access this slapd fine from the server itself. But
> > when I try to
> > > contact the new slave from *anywhere* else the connection
> > hangs during
> > > the initial SSL phase.
> >
> > I've run the server under strace. slapd starts sending the CA
> > certificates and after several successfull write()s one call
> > to write()
> > returns EAGAIN. Up to then the client received some certificates and
> > then blocks.
> 
> > Could it be that slapd chokes on the EAGAIN received when
> > writing out the CA certificates?
> 
> slapd doesn't have much to do with this; it's the SSL library that takes care
> of sending CA certs to the client. The OpenSSL library's write routines give
> up whenever a write() returns < 1. In OpenLDAP 2.1.6 the TLS interface in
> libldap was fixed to set the SSL retry_write flag when a write resulted in
> EAGAIN. Unfortunately (as of 0.9.6g) OpenSSL's send_server_certificate()
> function doesn't check the retry_write flag. Maybe it should, but that's a
> question for an OpenSSL mailing list.

thanks for the explanation. I suppose It would have taken me ages to
find this out on my own. I'm putting it on my todo list to bring this
issue up on the openssl list.


Rainer

-- 
KeyID=759975BD fingerprint=887A 4BE3 6AB7 EE3C 4AE0  B0E1 0556 E25A 7599 75BD