Hi,

On Thu, Nov 01, 2012 at 05:36:54PM +0000, I wrote:

I've just uploaded:

ftp://ftp.openldap.org/incoming/rhafer-Use-non-blocking-IO-during-SSL-Handshake-ITS-7428.dif

which tries to address the issue. If LDAP_OPT_NETWORK_TIMEOUT is set ldap_int_tls_start will switch to non-blocking IO and call ldap_int_tls_connect as often as needed unless it times out inbetween. Currently I have only tested this with openssl but AFAICS this should also work with the NSS and gnutls backends

Please review and comment.

Did somebody have a chance already to look at this? I'd really like to know if it would be ok to push this patch into master, and if not, what needs to be done to make it acceptable for master.

Meanwhile I already tried testing it with the NSS and gnutls backends, with mixed success so far. But as of now I think the issues I ran into can be blame to bugs in either gnutls or NSS.

Applying this patch to a supported (by libldap) gnutls release e.g. fixes the problems in gnutls: http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=blobdiff;f=lib/gnutls_buf...

NSS otoh seems to have problems handling short writes during the TLS Handshake, I haven't been able to track this down as I don't know NSS well enough. But as I am also able to produces weird failures on the server side using an unmodified libldap it seems the problem is not related to my patch (to test this I used a stock FC17 with and reduced the tcp buffers to really small values (/proc/sys/net/ipv4/tcp_rmem and tcp_wmem) on both the client and the server. After doing some searches the client locked up the server log seem to indicate that it did a short write and never retries to write the rest of the buffer)). Would be good if someone with NSS knowledge could look into this (hello Rich ;))

Ralf