On Mon, Dec 21, 2009 at 11:08:15PM +1100, Simon Horman wrote:
> On Mon, Dec 21, 2009 at 08:49:59PM +1100, Russell Coker wrote:
> > On Mon, 21 Dec 2009, Simon Horman <ho...@verge.net.au> wrote:
> > > I'm quite happy to consider replacing openssl with GNUTLS.
> > > Although I don't know if it would solve the problem at hand
> > > nor how many bonus problems it might create.
> >
> > My past experience is that converting from OpenSSL to GNUTLS is not THAT
> > difficult, but maintaining a code base to support both via autoconf is
> > quite
> > painful. But I haven't done anything as intense as you in this regard.
>
> Hopefully GNUTLS could just replace OpenSSL.
> Having both available as a compile-time switch sounds painful.
>
> > http://www.opengroup.org/onlinepubs/000095399/functions/setsockopt.html
> >
> > The above URL documents how to use the SO_RCVTIMEO and SO_SNDTIMEO options
> > of
> > setsockopt().
> >
> > http://74.125.153.132/search?q=cache:rEDEp2tvku8J:article.gmane.org/gmane.network.gnutls.general/227+GNUTLS_E_AGAIN+timeout&cd=9&hl=en&ct=clnk
> >
> > The above URL states that the way to set timeouts on the GNUTLS handshake
> > (and
> > presumably other GNUTLS library calls) is to use setsockopt().
> >
> > I expect that you can use setsockopt() with OpenSSL too. While it's pretty
> > stupid to not have a simple timeout parameter for a function call such as
> > the
> > ones we are discussing, it would be totally stupid to have no way at all of
> > specifying a timeout other than SIGALRM.
>
> Thanks for the pointers, I'll poke and see if that works for the
> problem at hand.
Hi Russell,
the patch below should resolve this problem. It applies against 1.18.
1.18 has a new --authenticate_timeout option which takes affect
during authentication, and is the timeout in effect in this case.
Due to the small amount of plumbing added for authenticate_timeout this
patch doesn't apply cleanly to 1.17. But if necessary you should
be able to get it to work by using opt.timeout instead of
io_get_timeout(io).
----------------------------------------------------------------------
ssl: honour timeout during setup
Use setsockopt to enforce an idle timeout during SSL setup.
Thanks to Russell Coker for finding this problem and suggesting this fix.
Cc: Russell Coker <russ...@coker.com.au>
Signed-off-by: Simon Horman <ho...@verge.net.au>
Index: perdition/perdition/ssl.c
===================================================================
--- perdition.orig/perdition/ssl.c 2009-12-22 11:18:57.000000000 +1100
+++ perdition/perdition/ssl.c 2009-12-22 11:26:37.000000000 +1100
@@ -937,6 +937,48 @@ leave:
}
+static int set_socket_timeout(int s, long timeout)
+{
+ struct timeval tv = { .tv_sec = timeout, .tv_usec = 0 };
+
+ if (setsockopt(s, SOL_SOCKET, SO_RCVTIMEO, &tv, sizeof(tv))) {
+ VANESSA_LOGGER_DEBUG_ERRNO("setcockopt");
+ return -1;
+ }
+
+ return 0;
+}
+
+static int io_set_socket_timeout(io_t *io, long timeout)
+{
+ int s;
+
+ s = io_get_rfd(io);
+ if (s < 0) {
+ VANESSA_LOGGER_DEBUG("io_get_rfd");
+ return -1;
+ }
+
+ if (set_socket_timeout(s, timeout) < 0) {
+ VANESSA_LOGGER_DEBUG("set_socket_timeout(rfd)");
+ return -1;
+ }
+
+ s = io_get_wfd(io);
+ if (s < 0) {
+ VANESSA_LOGGER_DEBUG("io_get_wfd");
+ return -1;
+ }
+
+ if (set_socket_timeout(s, timeout) < 0) {
+ VANESSA_LOGGER_DEBUG("set_socket_timeout(wfd)");
+ return -1;
+ }
+
+ return 0;
+}
+
+
/**********************************************************************
* __perdition_ssl_connection
* Change a stdio based connection into an SSL connection
@@ -959,6 +1001,7 @@ static io_t *__perdition_ssl_connection(
io_t *new_io = NULL;
SSL *ssl = NULL;
int ret;
+ long timeout;
ssl = SSL_new(ssl_ctx);
if (!ssl) {
@@ -974,10 +1017,17 @@ static io_t *__perdition_ssl_connection(
goto bail;
}
- io_set_timeout(new_io, io_get_timeout(io));
+ timeout = io_get_timeout(io);
+
+ io_set_timeout(new_io, timeout);
io_destroy(io);
io = NULL;
+ if (io_set_socket_timeout(new_io, timeout) < 0) {
+ VANESSA_LOGGER_DEBUG("io_set_socket_timeout(timeout)");
+ goto bail;
+ }
+
/* Get for TLS/SSL handshake */
if (flag & PERDITION_SSL_CLIENT) {
SSL_set_connect_state(ssl);
@@ -994,11 +1044,16 @@ static io_t *__perdition_ssl_connection(
if (ret <= 0) {
PERDITION_DEBUG_SSL_IO_ERR("SSL_accept",
io_get_ssl(new_io), ret);
- VANESSA_LOGGER_DEBUG("no shared ciphers?");
+ VANESSA_LOGGER_DEBUG("timeout or no shared ciphers?");
goto bail;
}
}
+ if (io_set_socket_timeout(new_io, 0) < 0) {
+ VANESSA_LOGGER_DEBUG("io_set_socket_timeout(0)");
+ goto bail;
+ }
+
return (new_io);
bail:
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
