RE: problems on EAGAIN? (was: TLS connect from remote host to slapd hangs)

["Howard Chu" <hyc@highlandsun.com>]

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Rainer Clasen

> Rainer Clasen wrote:
> > I can access this slapd fine from the server itself. But
> when I try to
> > contact the new slave from *anywhere* else the connection
> hangs during
> > the initial SSL phase.
>
> I've run the server under strace. slapd starts sending the CA
> certificates and after several successfull write()s one call
> to write()
> returns EAGAIN. Up to then the client received some certificates and
> then blocks.

> Could it be that slapd chokes on the EAGAIN received when
> writing out the CA certificates?

slapd doesn't have much to do with this; it's the SSL library that takes care
of sending CA certs to the client. The OpenSSL library's write routines give
up whenever a write() returns < 1. In OpenLDAP 2.1.6 the TLS interface in
libldap was fixed to set the SSL retry_write flag when a write resulted in
EAGAIN. Unfortunately (as of 0.9.6g) OpenSSL's send_server_certificate()
function doesn't check the retry_write flag. Maybe it should, but that's a
question for an OpenSSL mailing list.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support