Issue 8581 - slapd-meta backend SSL negotiation timeout
Summary: slapd-meta backend SSL negotiation timeout
Status: VERIFIED DUPLICATE of issue 8047
Alias: None
Product: OpenLDAP
Classification: Unclassified
Component: backends (show other issues)
Version: 2.4.40
Hardware: All All
: --- enhancement
Target Milestone: 2.7.0
Assignee: OpenLDAP project
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-02-04 21:59 UTC by louis.chanouha@univ-toulouse.fr
Modified: 2023-11-02 17:01 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.
Description louis.chanouha@univ-toulouse.fr 2017-02-04 21:59:17 UTC 
Full_Name: Louis Chanouha
Version: 2.4.40
OS: Debian 8
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (90.76.56.40)


Hello,

I experience some problems with slapd-meta with ldaps backend.
gnuTLS (or openssl) negociation timeout seems not to be handled, and i can't
find any reference to modify this timeout on docs. My server becames
unresponsive (too many connexion slots) when a ssl-secured backend server time
out after TCP connexion establishment.

To reproduce the error, i have an meta directory configured like this:

database meta
suffix          "dc=localauth"
rootdn          "%n=Manager,dc=localauth"
rootpw          XXX

uri "ldaps://localhost:666/ou=UT,dc=localauth"
lastmod off
suffixmassage   "ou=UT,dc=localauth" "ou=people,dc=example,dc=fr"
timeout 1
conn-ttl 1
network-timeout 1

And i launch a netcat to listen to the 666 port:
nc -l -p 666

Then, this command never time out:
ldapwhoami -H ldap://YYYY:9009 -D uid=me,ou=UT,dc=localauth -W

Error does not happen when no ssl used ("timeout 1" option works well)

OS: Debian 8 Jessie x64
slapd: 2.4.40+dfsg-1+deb8u2
gnutls: 3.3.8-6+deb8u4


Sorry for my english, and thanks for the help,
Regards,
Louis Chanouha
University of Toulouse
Comment 1 Michael Ströder 2017-02-05 17:35:33 UTC 
louis.chanouha@univ-toulouse.fr wrote:
> OS: Debian 8 Jessie x64
> slapd: 2.4.40+dfsg-1+deb8u2
> gnutls: 3.3.8-6+deb8u4

Note that the Debian builds are an older version and AFAICS the GnuTLS wrapping code does
not receive much love.

Try again release 2.4.44 linked to OpenSSL e.g. by using the ltb-project builds or your
own custom build.

Ciao, Michael.
Comment 2 Louis Chanouha 2017-02-10 15:43:52 UTC 
I tried with ltb's latest Jessie builds but same problem occurs.
I fast-checked tls_o.c, i can't find any code relative to handshake 
timeout 
(https://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blob;f=libraries/libldap/tls_g.c), 
but as i never handle any ssl lib code, i can be completely mistaken.

On Jessie, default timeout on gnuTLS seems to be 3600 secs, I will try 
to wait.

/usr/local/openldap/libexec/slapd  -V
@(#) $OpenLDAP: slapd 2.4.44 (Feb  8 2016 17:34:53) $
root@debian8:/opt/paquet-openldap-debian/openldap-ltb-2.4.44/servers/slapd
Comment 3 Quanah Gibson-Mount 2017-03-17 16:45:10 UTC 
moved from Incoming to Software Bugs
Comment 4 Louis Chanouha 2017-05-02 07:42:22 UTC 
I looked deeper into the source, and i found the problem.
Non-blocking socket seems to be implemented in starttls connection only, 
not in direct-SSL (ldaps://) which use a blocking socket.

The problem isn't openssl or gnutls related.

Another solution could be to set the socket timeout to a more reasonable 
value.


I would like to help more, but this kind of modification is too 
complicated for my actual knowledge of sockets.


Regards.
Comment 5 Quanah Gibson-Mount 2023-11-02 17:01:13 UTC 

*** This issue has been marked as a duplicate of issue 8047 ***