[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6673) ldap_unbind() hangs on unreachable LDAP server when using TLS

Arthur de Jong wrote:
> On Wed, 2010-10-13 at 01:05 -0700, Howard Chu wrote:
>> arthur@arthurdejong.org wrote:
>>> If the connection is opened without TLS ldap_unbind() only writes some data on
>>> the connection and then closes it but with TLS it expects some response back.
>>> Since read() is used this blocks.
>> Looks like this is a GnuTLS issue. Have you duplicated this with OpenSSL?
> I can confirm that this only happens if libldap is linked with GnuTLS
> and not when it is linked against OpenSSL.

It seems you can workaround this by changing tls_g.c's invocation of 
gnutls_bye() to use GNUTLS_SHUT_WR instead of GNUTLS_SHUT_RDWR. However, that 
strikes me as fundamentally wrong, since libldap is clearly closing both 
directions when it gets here. I think the bug is in gnutls_bye(), it shouldn't 
be waiting indefinitely when it tries to read the peer's Close alert. I'm not 
sure it should even be trying to read that at all; some peers may never send it.

Note that because you're breaking the connection without warning, TCP doesn't 
know that the connection is gone, so there will be no error detected when 
gnutls attempts to send its own Close alert. In this case, it will probably 
block for 2*MSL before getting any further.

   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/