[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Preliminary TLS/SSL success

On 19 Jul, Julio Sánchez Fernández wrote:
> Now, going to more practical matters, I would appreciate if you could
> have a look at it and tell me why it dows work without using the values
> of sb_trans_needs_write and sb_trans_needs_read and when it is going
> to break because of it.
Aha, searching the code and my memories revealed the function of 
sb_trans_needs_{read,write}. These bits are set when the transport-layer
(OpenSSL, in this case) needs to read or write on the "physical" socket.
It indicates on which events should be selected.

This is there to prevent a deadlock in the following scenario:

- slapd wants to get data (read) from the client.
- the client's TLS layer waits for data from slapd's TLS layer. It needs
  this to be able to send something to slapd.
- slapd's TLS layer needs to send something to the client's TLS layer.

Selecting for 'read' on the socket will not work in this case, since
data will never be available from the client. This way, the TLS layer
will never be called, and never have a chance to send something.

This can happen when the TLS layer needs to renegotiate an encryption
protocol or changes an encryption key or something. In that case some
handshaking needs to be done before further data can be read or written.
Fortunately, this only happens when we explicitly ask the SSL lib for
it, or automatically after a lot of data has been exchanged.

I believe there should be something of the type:

if ber_pvt_sb_needs_read(c->c_sb)
   	slapd_set_read( ber_pvt_sb_get_desc(c->c_sb),1);
if ber_pvt_sb_needs_write(c->c_sb)
   	slapd_set_write( ber_pvt_sb_get_desc(c->c_sb),1);

at the end of both connection_read and connection_write.
> I think it is related to the fact that once we added a file descriptor
> to the select set we keep it there until the connection closes.

I think you just were lucky. As far as I can see, you start selecting
on write after you received (read) the full request, but it can be that
data needs to be written before there is data to be read.


Bart Hartgers - TUE Eindhoven