#50398 Ticket 50329 - (2nd) Possible Security Issue: DOS due to ioblocktimeout not applying to TLS
Closed 4 months ago by spichugi. Opened 2 years ago by tbordaz.
tbordaz/389-ds-base ticket-50329  into  master

file modified
+1 -1
@@ -3174,7 +3174,7 @@ 


      if (secure) {

          pr_socketoption.option = PR_SockOpt_Nonblocking;

-         pr_socketoption.value.non_blocking = 0;

+         pr_socketoption.value.non_blocking = 1;

          if (PR_SetSocketOption(*pr_socket, &pr_socketoption) == PR_FAILURE) {

              PRErrorCode prerr = PR_GetError();


Bug Description:
A secure socket is configured in blocking mode. If an event
is detected on a secure socket a worker tries to receive the request.
If handshake occurs during the read, it can hang longer than
ioblocktimeout because it takes into account the socket option
rather than the timeout used for the ssl_Recv

Fix Description:
The fix is specific to secure socket and set this socket option
to do non blocking IO.


Reviewed by: ?

Platforms tested: F28

Flag Day: no

Doc impact: no

This patch has been tested since May 17th. So far no regression reported and original issues (hanging ssl connection and replication delay/hang) do no longer happen

rebased onto f20e982

2 years ago

anyone would be interested reviewing it ? :)

You have my ack, Thierry, although somehow halffolded. ;)

Pull-Request has been merged by tbordaz

2 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This pull request has been cloned to Github as issue and is available here:
- https://github.com/389ds/389-ds-base/issues/3456

If you want to continue to work on the PR, please navigate to the github issue,
download the patch from the attachments and file a new pull request.

Thank you for understanding. We apologize for all inconvenience.

Pull-Request has been closed by spichugi

4 months ago