Logged in as guest
Viewing Software Enhancements/7428 Full headers
Major security issue: yes no
Notes: Fixed in master (requires -DLDAP_USE_NON_BLOCKING_TLS) Fixed in RE24, not noted since it is DEVEL only Notification:
Date: Thu, 01 Nov 2012 17:22:42 +0000 From: rhafer@suse.de To: openldap-its@OpenLDAP.org Subject: libldap: use non-blocking IO during TLS handshake
Full_Name: Ralf Haferkamp Version: HEAD OS: URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (92.252.80.202) Currently libldap is using blocking IO when performing the SSL handshake for ldaps:// connections (and when performing the StartTLS operation). The can lead to the client blocking forever in the ssl lib (in SSL_connect in case of openssl) if e.g. the server for whatever reason stops responding. It would be very helpful if libldap would use non-blocking IO during the handshake at least when LDAP_OPT_NETWORK_TIMEOUT (or LDAP_OPT_TIMEOUT?) are set.
Date: Thu, 1 Nov 2012 18:36:03 +0100 From: Ralf Haferkamp <rhafer@suse.de> To: openldap-its@OpenLDAP.org Subject: Re: (ITS#7428) libldap: use non-blocking IO during TLS handshake
I've just uploaded: ftp://ftp.openldap.org/incoming/rhafer-Use-non-blocking-IO-during-SSL-Handshake-ITS-7428.dif which tries to address the issue. If LDAP_OPT_NETWORK_TIMEOUT is set ldap_int_tls_start will switch to non-blocking IO and call ldap_int_tls_connect as often as needed unless it times out inbetween. Currently I have only tested this with openssl but AFAICS this should also work with the NSS and gnutls backends Please review and comment. Ralf
Date: Fri, 16 Nov 2012 16:44:12 +0100 From: Ralf Haferkamp <rhafer@suse.de> To: openldap-its@openldap.org Subject: Re: (ITS#7428) libldap: use non-blocking IO during TLS handshake
I just uploaded a slightly updated patch to: ftp://ftp.openldap.org/incoming/rhafer-20121116-Use-non-blocking-IO-during-SSL-Handshake-ITS-7428.dif The code is now only enabled when LDAP_USE_NON_BLOCKING_TLS is defined. Mainly because NSS and GNUTLS show some issues with not-blocking sockets. See my mail on -devel. Additionally the non-blocking handshake is only done if LDAP_OPT_TIMEOUT is set. Previously I used LDAP_OPT_NETWORK_TIMEOUT but IMO LDAP_OPT_TIMEOUT is the better choice. On Thu, Nov 01, 2012 at 05:36:54PM +0000, rhafer@suse.de wrote: > I've just uploaded: > > ftp://ftp.openldap.org/incoming/rhafer-Use-non-blocking-IO-during-SSL-Handshake-ITS-7428.dif > [..] Ralf
Date: Wed, 21 Nov 2012 14:52:37 +0100 From: Ralf Haferkamp <rhafer@suse.de> To: openldap-its@openldap.org Subject: Re: (ITS#7428) libldap: use non-blocking IO during TLS handshake
I just pushed latest incarnation of my patch to master. The code in currently hidden behind #ifdefs (mainly for the NSS issues outlined on -devel) and I switch back again to using LDAP_OPT_NETWORK_TIMEOUT for TLS handshake timeouts. regards, Ralf On Thu, Nov 01, 2012 at 05:22:42PM +0000, rhafer@suse.de wrote: > > Currently libldap is using blocking IO when performing the SSL handshake for > ldaps:// connections (and when performing the StartTLS operation). The can lead > to the client blocking forever in the ssl lib (in SSL_connect in case of > openssl) if e.g. the server for whatever reason stops responding. It would be > very helpful if libldap would use non-blocking IO during the handshake at least > when LDAP_OPT_NETWORK_TIMEOUT (or LDAP_OPT_TIMEOUT?) are set.
______________ © Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org
