[Date Prev][Date Next]
Re: (ITS#6673) ldap_unbind() hangs on unreachable LDAP server when using TLS
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#6673) ldap_unbind() hangs on unreachable LDAP server when using TLS
- From: firstname.lastname@example.org
- Date: Wed, 13 Oct 2010 21:17:58 GMT
- Auto-submitted: auto-generated (OpenLDAP-ITS)
Arthur de Jong wrote:
> On Wed, 2010-10-13 at 01:05 -0700, Howard Chu wrote:
>> email@example.com wrote:
>>> If the connection is opened without TLS ldap_unbind() only writes some data on
>>> the connection and then closes it but with TLS it expects some response back.
>>> Since read() is used this blocks.
>> Looks like this is a GnuTLS issue. Have you duplicated this with OpenSSL?
> I can confirm that this only happens if libldap is linked with GnuTLS
> and not when it is linked against OpenSSL.
It seems you can workaround this by changing tls_g.c's invocation of
gnutls_bye() to use GNUTLS_SHUT_WR instead of GNUTLS_SHUT_RDWR. However, that
strikes me as fundamentally wrong, since libldap is clearly closing both
directions when it gets here. I think the bug is in gnutls_bye(), it shouldn't
be waiting indefinitely when it tries to read the peer's Close alert. I'm not
sure it should even be trying to read that at all; some peers may never send it.
Note that because you're breaking the connection without warning, TCP doesn't
know that the connection is gone, so there will be no error detected when
gnutls attempts to send its own Close alert. In this case, it will probably
block for 2*MSL before getting any further.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/