7428 – libldap: use non-blocking IO during TLS handshake

Issue 7428 - libldap: use non-blocking IO during TLS handshake

Summary: libldap: use non-blocking IO during TLS handshake

Status:	VERIFIED FIXED

Alias:	None

Product:	OpenLDAP
Classification:	Unclassified
Component:	slapd (show other issues)
Version:	unspecified
Hardware:	All All

Importance:	--- normal
Target Milestone:	---
Assignee:	OpenLDAP project

URL:
Keywords:

Depends on:
Blocks:

Reported:	2012-11-01 17:22 UTC by Ralf
Modified:	2014-08-01 21:04 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.

Description Ralf 2012-11-01 17:22:42 UTC

Full_Name: Ralf Haferkamp
Version: HEAD
OS: 
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (92.252.80.202)


Currently libldap is using blocking IO when performing the SSL handshake for
ldaps:// connections (and when performing the StartTLS operation). The can lead
to the client blocking forever in the ssl lib (in SSL_connect in case of
openssl) if e.g. the server for whatever reason stops responding. It would be
very helpful if libldap would use non-blocking IO during the handshake at least
when LDAP_OPT_NETWORK_TIMEOUT (or LDAP_OPT_TIMEOUT?) are set.

Comment 1 Ralf 2012-11-01 17:36:03 UTC

I've just uploaded:

ftp://ftp.openldap.org/incoming/rhafer-Use-non-blocking-IO-during-SSL-Handshake-ITS-7428.dif

which tries to address the issue. If LDAP_OPT_NETWORK_TIMEOUT is set
ldap_int_tls_start will switch to non-blocking IO and call
ldap_int_tls_connect as often as needed unless it times out inbetween.
Currently I have only tested this with openssl but AFAICS this should also work
with the NSS and gnutls backends

Please review and comment.

Ralf

Comment 2 Ralf 2012-11-16 15:44:12 UTC

I just uploaded a slightly updated patch to:

ftp://ftp.openldap.org/incoming/rhafer-20121116-Use-non-blocking-IO-during-SSL-Handshake-ITS-7428.dif

The code is now only enabled when LDAP_USE_NON_BLOCKING_TLS is defined. Mainly
because NSS and GNUTLS show some issues with not-blocking sockets. See my mail
on -devel. Additionally the non-blocking handshake is only done if
LDAP_OPT_TIMEOUT is set. Previously I used LDAP_OPT_NETWORK_TIMEOUT but IMO
LDAP_OPT_TIMEOUT is the better choice.

On Thu, Nov 01, 2012 at 05:36:54PM +0000, rhafer@suse.de wrote:
> I've just uploaded:
> 
> ftp://ftp.openldap.org/incoming/rhafer-Use-non-blocking-IO-during-SSL-Handshake-ITS-7428.dif
> 
[..]

Ralf

Comment 3 Ralf 2012-11-21 13:52:37 UTC

I just pushed latest incarnation of my patch to master. The code in currently
hidden behind #ifdefs (mainly for the NSS issues outlined on -devel) and I
switch back again to using LDAP_OPT_NETWORK_TIMEOUT for TLS handshake timeouts.

regards,
    Ralf

On Thu, Nov 01, 2012 at 05:22:42PM +0000, rhafer@suse.de wrote:
> 
> Currently libldap is using blocking IO when performing the SSL handshake for
> ldaps:// connections (and when performing the StartTLS operation). The can lead
> to the client blocking forever in the ssl lib (in SSL_connect in case of
> openssl) if e.g. the server for whatever reason stops responding. It would be
> very helpful if libldap would use non-blocking IO during the handshake at least
> when LDAP_OPT_NETWORK_TIMEOUT (or LDAP_OPT_TIMEOUT?) are set.

Comment 4 Ralf 2012-11-21 13:53:29 UTC

changed notes
changed state Open to Test
moved from Incoming to Software Enhancements

Comment 5 Quanah Gibson-Mount 2012-11-26 22:34:24 UTC

changed notes
changed state Test to Release

Comment 6 Quanah Gibson-Mount 2013-03-05 02:24:30 UTC

changed notes
changed state Release to Closed

Comment 7 OpenLDAP project 2014-08-01 21:04:56 UTC

Fixed in master (requires -DLDAP_USE_NON_BLOCKING_TLS)
Fixed in RE24, not noted since it is DEVEL only