[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#8720) back_ldap result timeout failure on high latency connections (TLS ONLY)

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#8720) back_ldap result timeout failure on high latency connections (TLS ONLY)
From: hyc@symas.com
Date: Thu, 31 Aug 2017 16:00:10 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

mikedotjackson@gmail.com wrote:
> Full_Name: Mike Jackson
> Version: 2.4.45
> OS: Linux
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (194.157.185.162)
> 
> 
> Push replication via TLS fails to remote servers where the TCP/IP round-trip
> time is greater than 100ms. When the return packets finally arrive, the
> initiating server will close the connection with RST RST RST, which results in
> TLS NEGOTIATION FAILURE. If TLS is not used, then the high-latency connection
> will function normally and replication will occur.
> 
> The 100ms time limit comes from here:
> 
> servers/slapd/back-ldap/back-ldap.h:    #define   LDAP_BACK_RESULT_UTIMEOUT
> (100000)
> 
> Reference commit 112be0118e43c161d44de6e852cca9f517bb653d from 2005.
> 
> HYC: "Ando ported timeout code from back-meta into back-ldap but he never ported
> the config keyword that sets the timeout number of retries"
> 
> In addition, the back_ldap man page is not up to date.
> 
> 
> My temporary workaround was to set LDAP_BACK_RESULT_UTIMEOUT (900000)  (900ms)
> and recompile. Problem immediately went away, but this is not a correct approach
> and the retry counter should be runtime configurable.

back-ldap has been fixed to use the configured timeout for exops here. Fix is 
in git master.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Prev by Date: (ITS#8720) back_ldap result timeout failure on high latency connections (TLS ONLY)
Index(es):
- Chronological
- Thread