[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#8650) EAGAIN from gnutls_handshake not respected
On 08/03/2018 12:09 PM, Ryan Tandy wrote:
> Thanks for letting me know about this. This patch is running on quite
> a few systems by now, I'm sorry the problem wasn't caught sooner. :/
No worries, thanks for responding so quickly on this!
>> I'm wondering if there is a better way to handle EAGAIN returned from
>> gnutls_handshake(), instead of doing a busywait as in ITS#8650, or my
>> simplistic attempt at inserting a sleep() call which doesn't really
>> seem to help. I'm wondering how the GnuTLS developers intend for
>> people to use gnutls_handshake() properly, so as to gracefully handle
>> sessions that involve long packets on the one hand, without opening
>> up a vulnerability to chew up lots of system resources on the other
>> hand.
>
> Right. I mean, this is how GnuTLS' own example shows to do it:
>
> https://gitlab.com/gnutls/gnutls/blob/master/doc/examples/ex-client-dtls.c#L73-77
>
Hmm, that's a head-scratcher. It doesn't seem very effective to have a
non-blocking I/O interface and then recommend wrapping it in a busywait
loop :-)
> We could place a limit on the number of iterations, though any such
> limit would have to be arbitrary.
>
> There might be an asynchronous GnuTLS API that could be used to avoid
> tying up slapd while this is going on.
>
> I will look at how some other GnuTLS servers deal with this...
Cool, thanks Ryan.
Regards,
   -Kartik