Thanks for the response, Howard.
Even though OpenSSL has an ASYNC option, are you saying not every TLS engine supports async, so you can't add it to LDAP?
Thanks,
Rob Dunn
IBM z/TPFDF development
email: strmbrgr@us.ibm.com phone: (845) 433-1312
-----Original Message----- From: Howard Chu hyc@symas.com Sent: Monday, May 22, 2023 12:15 To: Robert T Dunn strmbrgr@us.ibm.com; openldap-technical@openldap.org Cc: Jamie Farmer jvfarmer@us.ibm.com; Mark Cooper markcoop@us.ibm.com Subject: [EXTERNAL] Re: SSL timeout
Robert T Dunn wrote:
We are experiencing a problem with SSL timeout as reported with issue 8047: INVALID URI REMOVED _show-5Fbug.cgi-3Fid-3D8047&d=DwIFAw&c=jf_iaSHvJObTbx-siA1ZOg&r=zPEDLN 6ZTfjdLBHYTkDPkuouKwm38JWg97dqLJAp7RM&m=fm2UKmy3aIwzq0iG0XiSWRY2VXdPwO sEoD9Y-vvWw9SA8rJc8lKE6Mbt9l5pSf5A&s=JfMF6l9huIzLsnVgNoAEgw8D2QW3IsGHs OJuPjkw0eI&e=
Our issue is when the LDAP client does an SSL connect to establish the TLS session with the remote server. If the SERVER_HELLO returned from the remote server takes a significant amount of time or does not come back from the server at all (for example, someone unplugged the server), the LDAP client connection DOES NOT timeout, and there are no LDAP configuration options to force the session to timeout. So, the LDAP client connection is effectively hung forever. Issue 8047 reported the SSL timeout issue, but the issue's status is still UNCONFIRMED. Are there any plans to correct this problem in future versions of LDAP Client?
As noted in this reply https://bugs.openldap.org/show_bug.cgi?id=8047#c5
This is not ours to fix; the underlying TLS libraries must provide async connection support.
Thanks,
Rob Dunn
IBM z/TPFDF development
email: strmbrgr@us.ibm.com mailto:strmbrgr@us.ibm.com phone: (845) 433-1312
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/