[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Preliminary TLS/SSL success

To: j_sanchez@stl.es
Subject: Re: Preliminary TLS/SSL success
From: bart@etpmod.phys.tue.nl
Date: Mon, 19 Jul 1999 14:26:39 +0200 (CEST)
Cc: openldap-devel@OpenLDAP.org
In-reply-to: <3792F84B.E9DFCF25@stl.es>

On 19 Jul, Julio Sánchez Fernández wrote:
> Now, going to more practical matters, I would appreciate if you could
> have a look at it and tell me why it dows work without using the values
> of sb_trans_needs_write and sb_trans_needs_read and when it is going
> to break because of it.
> 
Aha, searching the code and my memories revealed the function of 
sb_trans_needs_{read,write}. These bits are set when the transport-layer
(OpenSSL, in this case) needs to read or write on the "physical" socket.
It indicates on which events should be selected.

This is there to prevent a deadlock in the following scenario:

- slapd wants to get data (read) from the client.
- the client's TLS layer waits for data from slapd's TLS layer. It needs
  this to be able to send something to slapd.
- slapd's TLS layer needs to send something to the client's TLS layer.

Selecting for 'read' on the socket will not work in this case, since
data will never be available from the client. This way, the TLS layer
will never be called, and never have a chance to send something.

This can happen when the TLS layer needs to renegotiate an encryption
protocol or changes an encryption key or something. In that case some
handshaking needs to be done before further data can be read or written.
Fortunately, this only happens when we explicitly ask the SSL lib for
it, or automatically after a lot of data has been exchanged.

I believe there should be something of the type:

if ber_pvt_sb_needs_read(c->c_sb)
   	slapd_set_read( ber_pvt_sb_get_desc(c->c_sb),1);
if ber_pvt_sb_needs_write(c->c_sb)
   	slapd_set_write( ber_pvt_sb_get_desc(c->c_sb),1);

at the end of both connection_read and connection_write.

> I think it is related to the fact that once we added a file descriptor
> to the select set we keep it there until the connection closes.
> 

I think you just were lucky. As far as I can see, you start selecting
on write after you received (read) the full request, but it can be that
data needs to be written before there is data to be read.

Bart

-- 
Bart Hartgers - TUE Eindhoven

Follow-Ups:
- Re: Preliminary TLS/SSL success
  - From: Julio Sánchez Fernández <j_sanchez@stl.es>

Prev by Date: Re: Dinsinguished names returned by an LDAP server
Next by Date: Re: OpenLDAP REL_ENG_1_2 on OSF4.0e with DB-2.7.5
Index(es):
- Chronological
- Thread