lrm@interlinknetworks.com wrote:

I have already tried this. It does not have any affect on SSL connection negotitation.

There is a very interseting comment in the code which indicates someone was aware of the problem. From the 2.3.20 source distribution, file libraries/libldap/tls.c (line 1445):

    /*
     * Fortunately, the lib uses blocking io...
     */
    if ( ldap_int_tls_connect( ld, conn ) < 0 ) {
            ld->ld_errno = LDAP_CONNECT_ERROR;
            return (ld->ld_errno);
    }

And in ldap_int_tls_connect(), there is a call to SSL_connect( ssl ) that has no provision for asynchronous operation. There is no setting of the non-blocking option that I can find in this code sequence.

To reproduce the problem, simply point your ldaps: URL to a TCP server port that accepts connections, and does nothing with them. The LDAP client will hang forever (or until the server ephemeral port is closed).

Is it an option for you to use Start TLS instead of ldaps? In this case, code in right HEAD should fix all non-blocking issues, as soon as you specify a network timeout and LDAP_OPT_CONNECT_ASYNC (undocumented yet, it's been committed just hours ago).

The usage I suggest is to set LDAP_OPT_NETWORK_TIMEOUT to a positive value; then set LDAP_OPT_CONNECT_ASYNC to TRUE before performing the first operation, and reset it to FALSE after the first operation succeeds. In your case, the first operation would be ldap_start_tls[_s](3).

p.

Ing. Pierangelo Masarati OpenLDAP Core Team

SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati@sys-net.it ------------------------------------------