[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#7428) libldap: use non-blocking IO during TLS handshake


On Thu, Nov 01, 2012 at 05:36:54PM +0000, I wrote:
> I've just uploaded:
> ftp://ftp.openldap.org/incoming/rhafer-Use-non-blocking-IO-during-SSL-Handshake-ITS-7428.dif
> which tries to address the issue. If LDAP_OPT_NETWORK_TIMEOUT is set
> ldap_int_tls_start will switch to non-blocking IO and call
> ldap_int_tls_connect as often as needed unless it times out inbetween.
> Currently I have only tested this with openssl but AFAICS this should also work
> with the NSS and gnutls backends
> Please review and comment.

Did somebody have a chance already to look at this? I'd really like to know if
it would be ok to push this patch into master, and if not, what needs to be
done to make it acceptable for master.

Meanwhile I already tried testing it with the NSS and gnutls backends, with
mixed success so far. But as of now I think the issues I ran into can be blame
to bugs  in either gnutls or NSS.

Applying this patch to a supported (by libldap) gnutls release e.g. fixes the
problems in gnutls:

NSS otoh seems to have problems handling short writes during the TLS Handshake,
I haven't been able to track this down as I don't know NSS well enough.
But as I am also able to produces weird failures on the server side using an
unmodified libldap it seems the problem is not related to my patch (to test
this I used a stock FC17 with and reduced the tcp buffers to really small
values (/proc/sys/net/ipv4/tcp_rmem and tcp_wmem) on both the client and the
server. After doing some searches the client locked up the server log seem to
indicate that it did a short write and never retries to write the rest of the
Would be good if someone with NSS knowledge could look into this (hello Rich ;))