Arthur de Jong wrote:
On Wed, 2010-10-13 at 01:05 -0700, Howard Chu wrote:
arthur@arthurdejong.org wrote:
If the connection is opened without TLS ldap_unbind() only writes some data on the connection and then closes it but with TLS it expects some response back. Since read() is used this blocks.
Looks like this is a GnuTLS issue. Have you duplicated this with OpenSSL?
I can confirm that this only happens if libldap is linked with GnuTLS and not when it is linked against OpenSSL.
It seems you can workaround this by changing tls_g.c's invocation of gnutls_bye() to use GNUTLS_SHUT_WR instead of GNUTLS_SHUT_RDWR. However, that strikes me as fundamentally wrong, since libldap is clearly closing both directions when it gets here. I think the bug is in gnutls_bye(), it shouldn't be waiting indefinitely when it tries to read the peer's Close alert. I'm not sure it should even be trying to read that at all; some peers may never send it.
Note that because you're breaking the connection without warning, TCP doesn't know that the connection is gone, so there will be no error detected when gnutls attempts to send its own Close alert. In this case, it will probably block for 2*MSL before getting any further.