Thanks for the response, Howard. Even though OpenSSL has an ASYNC option, are you saying not every TLS engine supports async, so you can't add it to LDAP?
Thanks, Rob Dunn IBM z/TPFDF development email: strmb...@us.ibm.com phone: (845) 433-1312 -----Original Message----- From: Howard Chu <h...@symas.com> Sent: Monday, May 22, 2023 12:15 To: Robert T Dunn <strmb...@us.ibm.com>; openldap-technical@openldap.org Cc: Jamie Farmer <jvfar...@us.ibm.com>; Mark Cooper <markc...@us.ibm.com> Subject: [EXTERNAL] Re: SSL timeout Robert T Dunn wrote: > We are experiencing a problem with SSL timeout as reported with issue > 8047: > INVALID URI REMOVED > _show-5Fbug.cgi-3Fid-3D8047&d=DwIFAw&c=jf_iaSHvJObTbx-siA1ZOg&r=zPEDLN > 6ZTfjdLBHYTkDPkuouKwm38JWg97dqLJAp7RM&m=fm2UKmy3aIwzq0iG0XiSWRY2VXdPwO > sEoD9Y-vvWw9SA8rJc8lKE6Mbt9l5pSf5A&s=JfMF6l9huIzLsnVgNoAEgw8D2QW3IsGHs > OJuPjkw0eI&e= > Our issue is when the LDAP client does an SSL connect to establish the > TLS session with the remote server. If the SERVER_HELLO returned from > the remote server takes a significant amount of time or does not come > back from the server at all (for example, someone unplugged the server), the > LDAP client connection DOES NOT timeout, and there are no LDAP configuration > options to force the session to timeout. So, the LDAP client connection is > effectively hung forever. Issue 8047 reported the SSL timeout issue, but the > issue's status is still UNCONFIRMED. Are there any plans to correct this > problem in future versions of LDAP Client? As noted in this reply https://bugs.openldap.org/show_bug.cgi?id=8047#c5 This is not ours to fix; the underlying TLS libraries must provide async connection support. > > > > > > Thanks, > > Rob Dunn > > > IBM z/TPFDF development > > email: strmb...@us.ibm.com <mailto:strmb...@us.ibm.com> > phone: (845) 433-1312 > > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
