OpenLDAP
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

Viewing Software Enhancements/7428
Full headers

From: rhafer@suse.de
Subject: libldap: use non-blocking IO during TLS handshake
Compose comment
Download message
State:
0 replies:
3 followups: 1 2 3

Major security issue: yes  no

Notes:

Notification:


Date: Thu, 01 Nov 2012 17:22:42 +0000
From: rhafer@suse.de
To: openldap-its@OpenLDAP.org
Subject: libldap: use non-blocking IO during TLS handshake
Full_Name: Ralf Haferkamp
Version: HEAD
OS: 
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (92.252.80.202)


Currently libldap is using blocking IO when performing the SSL handshake for
ldaps:// connections (and when performing the StartTLS operation). The can lead
to the client blocking forever in the ssl lib (in SSL_connect in case of
openssl) if e.g. the server for whatever reason stops responding. It would be
very helpful if libldap would use non-blocking IO during the handshake at least
when LDAP_OPT_NETWORK_TIMEOUT (or LDAP_OPT_TIMEOUT?) are set.


Followup 1

Download message
Date: Thu, 1 Nov 2012 18:36:03 +0100
From: Ralf Haferkamp <rhafer@suse.de>
To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#7428) libldap: use non-blocking IO during TLS handshake
I've just uploaded:

ftp://ftp.openldap.org/incoming/rhafer-Use-non-blocking-IO-during-SSL-Handshake-ITS-7428.dif

which tries to address the issue. If LDAP_OPT_NETWORK_TIMEOUT is set
ldap_int_tls_start will switch to non-blocking IO and call
ldap_int_tls_connect as often as needed unless it times out inbetween.
Currently I have only tested this with openssl but AFAICS this should also work
with the NSS and gnutls backends

Please review and comment.

Ralf



Followup 2

Download message
Date: Fri, 16 Nov 2012 16:44:12 +0100
From: Ralf Haferkamp <rhafer@suse.de>
To: openldap-its@openldap.org
Subject: Re: (ITS#7428) libldap: use non-blocking IO during TLS handshake
I just uploaded a slightly updated patch to:

ftp://ftp.openldap.org/incoming/rhafer-20121116-Use-non-blocking-IO-during-SSL-Handshake-ITS-7428.dif

The code is now only enabled when LDAP_USE_NON_BLOCKING_TLS is defined. Mainly
because NSS and GNUTLS show some issues with not-blocking sockets. See my mail
on -devel. Additionally the non-blocking handshake is only done if
LDAP_OPT_TIMEOUT is set. Previously I used LDAP_OPT_NETWORK_TIMEOUT but IMO
LDAP_OPT_TIMEOUT is the better choice.

On Thu, Nov 01, 2012 at 05:36:54PM +0000, rhafer@suse.de wrote:
> I've just uploaded:
> 
> ftp://ftp.openldap.org/incoming/rhafer-Use-non-blocking-IO-during-SSL-Handshake-ITS-7428.dif
> 
[..]

Ralf



Followup 3

Download message
Date: Wed, 21 Nov 2012 14:52:37 +0100
From: Ralf Haferkamp <rhafer@suse.de>
To: openldap-its@openldap.org
Subject: Re: (ITS#7428) libldap: use non-blocking IO during TLS handshake
I just pushed latest incarnation of my patch to master. The code in currently
hidden behind #ifdefs (mainly for the NSS issues outlined on -devel) and I
switch back again to using LDAP_OPT_NETWORK_TIMEOUT for TLS handshake timeouts.

regards,
    Ralf

On Thu, Nov 01, 2012 at 05:22:42PM +0000, rhafer@suse.de wrote:
> 
> Currently libldap is using blocking IO when performing the SSL handshake
for
> ldaps:// connections (and when performing the StartTLS operation). The can
lead
> to the client blocking forever in the ssl lib (in SSL_connect in case of
> openssl) if e.g. the server for whatever reason stops responding. It would
be
> very helpful if libldap would use non-blocking IO during the handshake at
least
> when LDAP_OPT_NETWORK_TIMEOUT (or LDAP_OPT_TIMEOUT?) are set.


Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest


The OpenLDAP Issue Tracking System uses a hacked version of JitterBug

______________
© Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org