On Thu, Sep 10, 2009 at 02:51:34PM +0000, Emmanuel Dreyfus wrote:
I tried looping on SSL_accept() until it succeed, in tlso_session_accept(). It often has to try between 400 and 800 times before getting a success.
The statement above should be discarded, as I overlooked a few things. Here is my latest analysis of the problem:
- here is the code path leading to the error: ldap_pct_tls_accepts -> tlso_session_accept -> SSL_accept
- During SSL_accept(), the tlso_info_cb() callback is invoked only oncen as reported by LDAP_DEBUG_TRACE output: TLS trace: SSL_accept:before/accept initialization There is no "TLS trace: SSL_accept:SSLv3 read client hello A", as we have in normal sessions.
- When SSL_accept() returns, it has: SSL_accept return value = 0 SSL_get_error() returns SSL_ERROR_SYSCALL ERR_get_error() returns 0 errno is set to 0.
- Reading SSL_get_error(3), I would be in the "EOF was observed that violates the procol" situation: SSL_ERROR_SYSCALL Some I/O error occurred. The OpenSSL error queue may contain more information on the error. If the error queue is empty (i.e. ERR_get_error() returns 0), ret can be used to find out more about the error: If ret == 0, an EOF was observed that violates the pro- tocol. If ret == -1, the underlying BIO reported an I/O error (for socket I/O on Unix systems, consult errno for details).
But I have trouble to claim the client is the culprit, since it happens wirh a rich mixture of clients: NetBSD, Linux, MacOS X.