Thanks for the response, Howard. Even though OpenSSL has an ASYNC option, are you saying not every TLS engine supports async, so you can't add it to LDAP?
Thanks, Rob Dunn IBM z/TPFDF development email: [email protected] phone: (845) 433-1312 -----Original Message----- From: Howard Chu <[email protected]> Sent: Monday, May 22, 2023 12:15 To: Robert T Dunn <[email protected]>; [email protected] Cc: Jamie Farmer <[email protected]>; Mark Cooper <[email protected]> Subject: [EXTERNAL] Re: SSL timeout Robert T Dunn wrote: > We are experiencing a problem with SSL timeout as reported with issue > 8047: > INVALID URI REMOVED > _show-5Fbug.cgi-3Fid-3D8047&d=DwIFAw&c=jf_iaSHvJObTbx-siA1ZOg&r=zPEDLN > 6ZTfjdLBHYTkDPkuouKwm38JWg97dqLJAp7RM&m=fm2UKmy3aIwzq0iG0XiSWRY2VXdPwO > sEoD9Y-vvWw9SA8rJc8lKE6Mbt9l5pSf5A&s=JfMF6l9huIzLsnVgNoAEgw8D2QW3IsGHs > OJuPjkw0eI&e= > Our issue is when the LDAP client does an SSL connect to establish the > TLS session with the remote server. If the SERVER_HELLO returned from > the remote server takes a significant amount of time or does not come > back from the server at all (for example, someone unplugged the server), the > LDAP client connection DOES NOT timeout, and there are no LDAP configuration > options to force the session to timeout. So, the LDAP client connection is > effectively hung forever. Issue 8047 reported the SSL timeout issue, but the > issue's status is still UNCONFIRMED. Are there any plans to correct this > problem in future versions of LDAP Client? As noted in this reply https://bugs.openldap.org/show_bug.cgi?id=8047#c5 This is not ours to fix; the underlying TLS libraries must provide async connection support. > > > > > > Thanks, > > Rob Dunn > > > IBM z/TPFDF development > > email: [email protected] <mailto:[email protected]> > phone: (845) 433-1312 > > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
