Re: [PATCH][RFC] set socket timeout for SSL handshake

[Arthur de Jong <arthur [at] arthurdejong.org>]

On Fri, 2011-08-05 at 15:01 +0200, Stefan Völkel wrote:
> I don't see timeouts being set in do_open(). Do you mean do_close() by 
> any chance?

No, in the 0.8 version has some timeout options are set in do_open()
based on a discussion with OpenLDAP and GnuTLS people:
  http://www.openldap.org/its/index.cgi?findid=6673
  https://savannah.gnu.org/support/index.php?107495
(only part of this ended up in the 0.7.12 release)

> I moved the callback registering to do_set_options() since all other 
> options are also set there, and do_set_options() is called from do_open().

Thanks.

> Also I decided to add another option, sock_timeout, to not hardcode it.

I think it's better to use the existing timelimit option, although it
probably isn't the most appropriate option. It is already used for
LDAP_OPT_TIMELIMIT, LDAP_OPT_TIMEOUT and LDAP_OPT_NETWORK_TIMEOUT This
patch is basically a workaround for broken/incomplete handling of
LDAP_OPT_NETWORK_TIMEOUT in OpenLDAP.

In the long run it's probably best to have separate timelimit, timeout
and bind_timeout options.

> And on top of that, I also created a patch against the 0.7.13 debian 
> package.

I've committed your patch with some modifications:
- use the timelimit option
- use LDAP_OPT_CONNECT_CB instead of LDAP_OPT_X_TLS_CONNECT_CB (this
  also works and should cover more problematic cases)
- also use set_socket_timeout() in other places where socket timeouts
  were set
- tweaked the logging a bit

It can be found here:
  http://arthurdejong.org/viewvc/nss-pam-ldapd?view=rev&revision=1490

Thanks very much for your testing and patch!

-- 
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org --

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users