[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#8110) ldap_sasl_bind_s does not honor LDAP_OPT_NETWORK_TIMEOUT for TLS connections

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#8110) ldap_sasl_bind_s does not honor LDAP_OPT_NETWORK_TIMEOUT for TLS connections
From: hyc@symas.com
Date: Tue, 21 Apr 2015 19:58:59 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

ahochhaus@samegoal.com wrote:
> Full_Name: Andy
> Version: 2.4.30
> OS: Debian Linux (Jessie)
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (67.188.115.159)
>
>
> Hello,
>
> When connecting over TLS to an LDAP server with high packet loss, my calls to
> ldap_sasl_bind_s() block forever some of the time despite have set a 10s limit
> on all of LDAP_OPT_NETWORK_TIMEOUT, LDAP_OPT_TIMEOUT and LDAP_OPT_TIMELIMIT.
>
> I see the following stack trace on the deadlocked process.
>
>      @     0x7f2ff0c0f8d0 (unknown)
>      @     0x7f2ff0c0eac0 __libc_read
>      @           0x5cdc68 sb_debug_read
>      @           0x5c26f5 tlso_bio_read
>      @           0x451b64 BIO_read
>      @           0x49bf86 ssl3_read_n
>      @           0x49d52b ssl3_get_record
>      @           0x49caea ssl3_read_bytes
>      @           0x496f61 ssl3_get_message
>      @           0x496944 ssl3_get_finished
>      @           0x5e4aab ssl3_connect
>      @           0x5e164b ssl23_connect
>      @           0x5c1b3c tlso_session_connect
>      @           0x5b6773 ldap_int_tls_start
>      @           0x5b3a77 ldap_int_open_connection
>      @           0x5a730e ldap_new_connection
>      @           0x5b3365 ldap_open_defconn
>      @           0x5a68e3 ldap_send_initial_request
>      @           0x5a4c1e ldap_sasl_bind
>      @           0x5a4d99 ldap_sasl_bind_s
>
> Inspecting the source, I see that SSL_connect() is called from
> tlso_session_connect(). Does openldap attempt to pass timeout information to
> openssl?
>
> Sorry for the vague bug report. The issue is non-deterministic so it is hard to
> provide too much information. Please let me know what I can do to be more
> helpful.
>
> I was able to find an old posting (from 2006) reporting a similar issue. I'm
> uncertain if the root cause is the same or not though.
>
> http://www.openldap.org/lists/openldap-software/200601/msg00440.html

There is no API for setting a timeout in the TLS library.

http://www.openldap.org/lists/openldap-software/200707/msg00346.html

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Prev by Date: (ITS#8110) ldap_sasl_bind_s does not honor LDAP_OPT_NETWORK_TIMEOUT for TLS connections
Next by Date: Re: (ITS#8110) ldap_sasl_bind_s does not honor LDAP_OPT_NETWORK_TIMEOUT for TLS connections
Index(es):
- Chronological
- Thread