[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#8735) Significant delay setting LDAP_OPT_X_TLS_REQUIRE_CERT with invalid DNS

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#8735) Significant delay setting LDAP_OPT_X_TLS_REQUIRE_CERT with invalid DNS
From: michael@stroeder.com
Date: Thu, 14 Sep 2017 19:38:52 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

sean.haugh@vertivco.com wrote:
> I'm seeing a significant delay (32s) when setting
> `LDAP_OPT_X_TLS_REQUIRE_CERT` with unreachable DNS servers in
> resolv.conf. We initially discovered the issue in 2.4.42
> although I've confirmed it is present in 2.4.45. AFAIK it is
> not present in 2.4.23.

I assume you see a delay at the client-side.

Are you sure that it is not something caused by the TLS library 
updated in the mean-time? Which one is used by the client?

You should re-test with server certs without any URLs (AIA, CRLDP 
extensions etc.) which might be accessed by your TLS lib.

You could also monitor the DNS traffic. Some resolvers allow to 
switch on query logging. Or tcpdump or similar.

And BTW: The most likely answer is that your resolver should 
always be up and running. Sometimes a local caching resolver helps 
to overcome upstream resolver outage.

Ciao, Michael.

Prev by Date: (ITS#8735) Significant delay setting LDAP_OPT_X_TLS_REQUIRE_CERT with invalid DNS
Next by Date: Re: (ITS#8208) ppolicy supportedControl not visible in root DSE
Index(es):
- Chronological
- Thread