[Issue 9320] New: ldapsearch nettimeout doesn't work with startTls when the server address is not reachable

List overview All Threads
Download

newer

older

[Issue 9302] New: ppolicy...

[Issue 7743]...

openldap-its＠openldap.org

20 Aug 2020 20 Aug '20

8:12 p.m.

https://bugs.openldap.org/show_bug.cgi?id=9320

Issue ID: 9320 Summary: ldapsearch nettimeout doesn't work with startTls when the server address is not reachable Product: OpenLDAP Version: 2.5 Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: client tools Assignee: bugs@openldap.org Reporter: allen.zhang@audiocodes.com Target Milestone: ---

We found that ldapsearch doesn't return with failure according to the nettimeout when the server address is not valid. it fails only after TCP timeout (about 120 seconds in my environment). we dug into in to the source code and found that : in common.c, we set the nettimeout after ldap_start_tls_s is called. We tried to call "ldap_set_option( ld, LDAP_OPT_NETWORK_TIMEOUT, (void *) &nettimeout )" before ldap_start_tls_s and it works well!

-- You are receiving this mail because: You are on the CC list for the issue.

Show replies by date

openldap-its＠openldap.org

21 Aug 21 Aug

7:52 a.m.

New subject: [Issue 9320] ldapsearch nettimeout doesn't work with startTls when the server address is not reachable

https://bugs.openldap.org/show_bug.cgi?id=9320

--- Comment #1 from Quanah Gibson-Mount quanah@openldap.org --- *** Issue 9321 has been marked as a duplicate of this issue. ***

-- You are receiving this mail because: You are on the CC list for the issue.

openldap-its＠openldap.org

25 Aug 25 Aug

1:34 p.m.

New subject: [Issue 9320] ldapsearch nettimeout doesn't work with startTLS when the server address is not reachable

https://bugs.openldap.org/show_bug.cgi?id=9320

Quanah Gibson-Mount quanah@openldap.org changed:

--- Comment #2 from Quanah Gibson-Mount quanah@openldap.org --- In all likelihood, you simply lucked out here. We generally can't set a timeout here because it would require the library functions to use async I/O and not all engines are async capable, you can see this from the OpenSSL documentation.

SSL_MODE_ASYNC Enable asynchronous processing. TLS I/O operations may indicate a retry with SSL_ERROR_WANT_ASYNC with this mode set if an asynchronous capable engine is used to perform cryptographic operations.

-- You are receiving this mail because: You are on the CC list for the issue.

openldap-its＠openldap.org

1:34 p.m.

New subject: [Issue 9320] ldapsearch nettimeout doesn't work with startTLS when the server address is not reachable

https://bugs.openldap.org/show_bug.cgi?id=9320

Quanah Gibson-Mount quanah@openldap.org changed:

What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED

-- You are receiving this mail because: You are on the CC list for the issue.

openldap-its＠openldap.org

28 Aug 28 Aug

1:19 a.m.

New subject: [Issue 9320] ldapsearch nettimeout doesn't work with startTLS when the server address is not reachable

https://bugs.openldap.org/show_bug.cgi?id=9320

--- Comment #3 from Allen Zhang allen.zhang@audiocodes.com --- Thanks for your reply! We haven't digged into the SSL yet. (we will do) It's really hard to explain it as luck... Anyway, do you have any suggestion to make the network time out work properly?

-- You are receiving this mail because: You are on the CC list for the issue.

openldap-its＠openldap.org

8:03 a.m.

New subject: [Issue 9320] ldapsearch nettimeout doesn't work with startTLS when the server address is not reachable

https://bugs.openldap.org/show_bug.cgi?id=9320

--- Comment #4 from Quanah Gibson-Mount quanah@openldap.org --- (In reply to Allen Zhang from comment #3)

...

Thanks for your reply! We haven't digged into the SSL yet. (we will do) It's really hard to explain it as luck... Anyway, do you have any suggestion to make the network time out work properly?

All SSL engines would need to be async at the SSL library level.

-- You are receiving this mail because: You are on the CC list for the issue.

openldap-its＠openldap.org

31 Aug 31 Aug

4:36 p.m.

New subject: [Issue 9320] ldapsearch nettimeout doesn't work with startTLS when the server address is not reachable

https://bugs.openldap.org/show_bug.cgi?id=9320

Quanah Gibson-Mount quanah@openldap.org changed:

-- You are receiving this mail because: You are on the CC list for the issue.

openldap-its＠openldap.org

4:36 p.m.

New subject: [Issue 9320] ldapsearch nettimeout doesn't work with startTLS when the server address is not reachable

https://bugs.openldap.org/show_bug.cgi?id=9320

Quanah Gibson-Mount quanah@openldap.org changed:

--- Comment #5 from Quanah Gibson-Mount quanah@openldap.org ---

*** This issue has been marked as a duplicate of issue 8047 ***

-- You are receiving this mail because: You are on the CC list for the issue.

openldap-its＠openldap.org

4:37 p.m.

New subject: [Issue 9320] ldapsearch nettimeout doesn't work with startTLS when the server address is not reachable

https://bugs.openldap.org/show_bug.cgi?id=9320

Quanah Gibson-Mount quanah@openldap.org changed:

What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED

-- You are receiving this mail because: You are on the CC list for the issue.

openldap-its＠openldap.org

3 Sep 3 Sep

2:30 a.m.

New subject: [Issue 9320] ldapsearch nettimeout doesn't work with startTLS when the server address is not reachable

https://bugs.openldap.org/show_bug.cgi?id=9320

--- Comment #6 from Allen Zhang allen.zhang@audiocodes.com --- We have some new findings: the setup is below:

-- You are receiving this mail because: You are on the CC list for the issue.

openldap-its＠openldap.org

2:34 a.m.

New subject: [Issue 9320] ldapsearch nettimeout doesn't work with startTLS when the server address is not reachable

https://bugs.openldap.org/show_bug.cgi?id=9320

--- Comment #7 from Allen Zhang allen.zhang@audiocodes.com --- We have some new findings:

the first test has a setup is below: 1. the server's IP is accessible. 2. server listens on the port.

test result: ldapsearch will not timeout whatever we set.

the second test has a setup below: 1. the server's IP is NOT accessible.

test result:

ldapsearch will timeout only after TCP timeout (about 120 seconds) but not the timeout value we set.

With our "fix version", ldapsearch will timeout according to our timeout value.

-- You are receiving this mail because: You are on the CC list for the issue.

openldap-its＠openldap.org

8:12 a.m.

New subject: [Issue 9320] ldapsearch nettimeout doesn't work with startTLS when the server address is not reachable

https://bugs.openldap.org/show_bug.cgi?id=9320

--- Comment #8 from Quanah Gibson-Mount quanah@openldap.org --- (In reply to Allen Zhang from comment #7)

Stop updating this ticket, if you want this looked at use the parent 8047.

-- You are receiving this mail because: You are on the CC list for the issue.

1541

Age (days ago)

1554

Last active (days ago)

openldap-bugs@openldap.org

11 comments

1 participants

tags (0)

participants (1)

openldap-its＠openldap.org