[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#8650) EAGAIN from gnutls_handshake not respected

On 08/03/2018 12:09 PM, Ryan Tandy wrote:
> Thanks for letting me know about this. This patch is running on quite 
> a few systems by now, I'm sorry the problem wasn't caught sooner. :/

No worries, thanks for responding so quickly on this!

>> I'm wondering if there is a better way to handle EAGAIN returned from 
>> gnutls_handshake(), instead of doing a busywait as in ITS#8650, or my 
>> simplistic attempt at inserting a sleep() call which doesn't really 
>> seem to help. I'm wondering how the GnuTLS developers intend for 
>> people to use gnutls_handshake() properly, so as to gracefully handle 
>> sessions that involve long packets on the one hand, without opening 
>> up a vulnerability to chew up lots of system resources on the other 
>> hand.
> Right. I mean, this is how GnuTLS' own example shows to do it:
> https://gitlab.com/gnutls/gnutls/blob/master/doc/examples/ex-client-dtls.c#L73-77 

Hmm, that's a head-scratcher. It doesn't seem very effective to have a 
non-blocking I/O interface and then recommend wrapping it in a busywait 
loop :-)

> We could place a limit on the number of iterations, though any such 
> limit would have to be arbitrary.
> There might be an asynchronous GnuTLS API that could be used to avoid 
> tying up slapd while this is going on.
> I will look at how some other GnuTLS servers deal with this...

Cool, thanks Ryan.