Full_Name: Louis Chanouha Version: 2.4.40 OS: Debian 8 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (90.76.56.40) Hello, I experience some problems with slapd-meta with ldaps backend. gnuTLS (or openssl) negociation timeout seems not to be handled, and i can't find any reference to modify this timeout on docs. My server becames unresponsive (too many connexion slots) when a ssl-secured backend server time out after TCP connexion establishment. To reproduce the error, i have an meta directory configured like this: database meta suffix "dc=localauth" rootdn "%n=Manager,dc=localauth" rootpw XXX uri "ldaps://localhost:666/ou=UT,dc=localauth" lastmod off suffixmassage "ou=UT,dc=localauth" "ou=people,dc=example,dc=fr" timeout 1 conn-ttl 1 network-timeout 1 And i launch a netcat to listen to the 666 port: nc -l -p 666 Then, this command never time out: ldapwhoami -H ldap://YYYY:9009 -D uid=me,ou=UT,dc=localauth -W Error does not happen when no ssl used ("timeout 1" option works well) OS: Debian 8 Jessie x64 slapd: 2.4.40+dfsg-1+deb8u2 gnutls: 3.3.8-6+deb8u4 Sorry for my english, and thanks for the help, Regards, Louis Chanouha University of Toulouse
louis.chanouha@univ-toulouse.fr wrote: > OS: Debian 8 Jessie x64 > slapd: 2.4.40+dfsg-1+deb8u2 > gnutls: 3.3.8-6+deb8u4 Note that the Debian builds are an older version and AFAICS the GnuTLS wrapping code does not receive much love. Try again release 2.4.44 linked to OpenSSL e.g. by using the ltb-project builds or your own custom build. Ciao, Michael.
I tried with ltb's latest Jessie builds but same problem occurs. I fast-checked tls_o.c, i can't find any code relative to handshake timeout (https://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blob;f=libraries/libldap/tls_g.c), but as i never handle any ssl lib code, i can be completely mistaken. On Jessie, default timeout on gnuTLS seems to be 3600 secs, I will try to wait. /usr/local/openldap/libexec/slapd -V @(#) $OpenLDAP: slapd 2.4.44 (Feb 8 2016 17:34:53) $ root@debian8:/opt/paquet-openldap-debian/openldap-ltb-2.4.44/servers/slapd
moved from Incoming to Software Bugs
I looked deeper into the source, and i found the problem. Non-blocking socket seems to be implemented in starttls connection only, not in direct-SSL (ldaps://) which use a blocking socket. The problem isn't openssl or gnutls related. Another solution could be to set the socket timeout to a more reasonable value. I would like to help more, but this kind of modification is too complicated for my actual knowledge of sockets. Regards.
*** This issue has been marked as a duplicate of issue 8047 ***