Full_Name: Ralf Haferkamp Version: HEAD OS: URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (92.252.80.202) Currently libldap is using blocking IO when performing the SSL handshake for ldaps:// connections (and when performing the StartTLS operation). The can lead to the client blocking forever in the ssl lib (in SSL_connect in case of openssl) if e.g. the server for whatever reason stops responding. It would be very helpful if libldap would use non-blocking IO during the handshake at least when LDAP_OPT_NETWORK_TIMEOUT (or LDAP_OPT_TIMEOUT?) are set.
I've just uploaded: ftp://ftp.openldap.org/incoming/rhafer-Use-non-blocking-IO-during-SSL-Handshake-ITS-7428.dif which tries to address the issue. If LDAP_OPT_NETWORK_TIMEOUT is set ldap_int_tls_start will switch to non-blocking IO and call ldap_int_tls_connect as often as needed unless it times out inbetween. Currently I have only tested this with openssl but AFAICS this should also work with the NSS and gnutls backends Please review and comment. Ralf
I just uploaded a slightly updated patch to: ftp://ftp.openldap.org/incoming/rhafer-20121116-Use-non-blocking-IO-during-SSL-Handshake-ITS-7428.dif The code is now only enabled when LDAP_USE_NON_BLOCKING_TLS is defined. Mainly because NSS and GNUTLS show some issues with not-blocking sockets. See my mail on -devel. Additionally the non-blocking handshake is only done if LDAP_OPT_TIMEOUT is set. Previously I used LDAP_OPT_NETWORK_TIMEOUT but IMO LDAP_OPT_TIMEOUT is the better choice. On Thu, Nov 01, 2012 at 05:36:54PM +0000, rhafer@suse.de wrote: > I've just uploaded: > > ftp://ftp.openldap.org/incoming/rhafer-Use-non-blocking-IO-during-SSL-Handshake-ITS-7428.dif > [..] Ralf
I just pushed latest incarnation of my patch to master. The code in currently hidden behind #ifdefs (mainly for the NSS issues outlined on -devel) and I switch back again to using LDAP_OPT_NETWORK_TIMEOUT for TLS handshake timeouts. regards, Ralf On Thu, Nov 01, 2012 at 05:22:42PM +0000, rhafer@suse.de wrote: > > Currently libldap is using blocking IO when performing the SSL handshake for > ldaps:// connections (and when performing the StartTLS operation). The can lead > to the client blocking forever in the ssl lib (in SSL_connect in case of > openssl) if e.g. the server for whatever reason stops responding. It would be > very helpful if libldap would use non-blocking IO during the handshake at least > when LDAP_OPT_NETWORK_TIMEOUT (or LDAP_OPT_TIMEOUT?) are set.
changed notes changed state Open to Test moved from Incoming to Software Enhancements
changed notes changed state Test to Release
changed notes changed state Release to Closed
Fixed in master (requires -DLDAP_USE_NON_BLOCKING_TLS) Fixed in RE24, not noted since it is DEVEL only