Re: TLS closure and outstanding operations

[Hallvard B Furuseth <h.b.furuseth@usit.uio.no>]

Jim Sermersheim writes:
> I believe the intent here is to get the client to understand that no
> outstanding operations will be replied to once the server recieves the
> TLS closure. If the client abandons all outstanding operations, it
> should no expect to see results.
> 
> The second paragraph is only implied at this point, and I imagine most
> server implementations do this (abandon all outstanding operations in
> one way or another). Either that, or they shut down the connection. If I
> remember right, once the server recieves the TLS closure, it can't send
> anymore encrypted data, it must respond with a TLS closure message as
> well, so it can't really wait for outstanding operations to finish--it
> has to abandon them.

Well, I think the document should in any case specify what the server
does if the client does _not_ abandon outstanding operations first.

And since bind abandons operations and TLS closure in effect does an
anonymous bind, I think it would be cleaner if TLS closure is specified
to abandon operations instead of asking the client to do so.

Besides, the document doesn't say what happens to outstanding operations
if the _server_ initiates TLS closure, but I guess the only solution in
this case is to abandon them.

It sounds like one difference from bind is that bind can probably wait
for outstanding operations to finish - and return responses - before
binding, while TLS closure would have to simply let them finish if they
can't be abandoned, and return no response anyway.

BTW, 4.13.3.1 (Graceful Closure) is a bit wrong:
>   Before closing a TLS connection, the client MUST either wait for any 
           ^^^^^^^^^^^^^^^^^^^^^^^^
>   outstanding LDAP operations to complete, or explicitly abandon them. 

That should be "before initiating TLS closure".  It can't send abandons
before closing in response to a server initiated closure.

-- 
Hallvard