First Last Prev Next    This bug is not in your last search results.
Bug 774 - No LDAP SSL/StartTLS phase timeout available
No LDAP SSL/StartTLS phase timeout available
Status: ASSIGNED
Product: Sudo
Classification: Unclassified
Component: Sudoers
1.8.3
PC Linux
: low normal
Assigned To: Todd C. Miller
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-02-08 10:02 MST by Konstantin Pokotilenko
Modified: 2017-02-10 06:10 MST (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Konstantin Pokotilenko 2017-02-08 10:02:56 MST 
Hi.

I have a network issue related to MTU that causes big packets to not deliver. Besides other problems this lead to packet with ssl certificate to never reach the LDAP client which is seen as hung socket in connected state.

Setting BIND_TIMEOUT helped for nslcd, but not for sudo-ldap.

gdb tells that sudo-ldap sits in read() waiting to complete TLS handshake for the length of times.

Despite we have a list of 8+ ldap servers this does not help for sudo and leads to host root account being inaccessible.

As far as I understand the blocking socket read mode is used with no interrupt (signal, etc) to check timeouts.

OS: Ubuntu 12.04.5 LTS

(gdb) bt
#0  0x00007f0c9ba78f70 in read () from /lib/x86_64-linux-gnu/libc.so.6
#1  0x00007f0c9b0fb8ac in ?? () from /usr/lib/x86_64-linux-gnu/liblber-2.4.so.2
#2  0x00007f0c9a7dc73e in ?? () from /usr/lib/x86_64-linux-gnu/libgnutls.so.26
#3  0x00007f0c9a7dcf80 in ?? () from /usr/lib/x86_64-linux-gnu/libgnutls.so.26
#4  0x00007f0c9a7d967a in _gnutls_recv_int () from /usr/lib/x86_64-linux-gnu/libgnutls.so.26
#5  0x00007f0c9a7dd995 in ?? () from /usr/lib/x86_64-linux-gnu/libgnutls.so.26
#6  0x00007f0c9a7e0aad in ?? () from /usr/lib/x86_64-linux-gnu/libgnutls.so.26
#7  0x00007f0c9a7e6771 in ?? () from /usr/lib/x86_64-linux-gnu/libgnutls.so.26
#8  0x00007f0c9a7e2ad0 in ?? () from /usr/lib/x86_64-linux-gnu/libgnutls.so.26
#9  0x00007f0c9a7e2f45 in gnutls_handshake () from /usr/lib/x86_64-linux-gnu/libgnutls.so.26
#10 0x00007f0c9b3394ee in ?? () from /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2
#11 0x00007f0c9b3369fe in ?? () from /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2
#12 0x00007f0c9b33749d in ldap_int_tls_start () from /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2
#13 0x00007f0c9b3378b4 in ldap_start_tls_s () from /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2
#14 0x00007f0c9b7725d3 in ?? () from /usr/lib/sudo/sudoers.so
#15 0x00007f0c9b76e62f in ?? () from /usr/lib/sudo/sudoers.so
#16 0x0000000000402e5a in ?? ()
#17 0x00007f0c9b9b476d in __libc_start_main () from /lib/x86_64-linux-gnu/libc.so.6
#18 0x0000000000403c51 in ?? ()
#19 0x00007fff12dd6748 in ?? ()
#20 0x000000000000001c in ?? ()
#21 0x0000000000000002 in ?? ()
#22 0x00007fff12dd6e95 in ?? ()
#23 0x00007fff12dd6e9a in ?? ()
#24 0x0000000000000000 in ?? ()
Comment 1 Todd C. Miller 2017-02-08 10:23:50 MST 
Have you tried setting BIND_TIMELIMIT (not BIND_TIMEOUT)?
Comment 2 Konstantin Pokotilenko 2017-02-10 06:10:01 MST 
(In reply to Todd C Miller from comment #1)
> Have you tried setting BIND_TIMELIMIT (not BIND_TIMEOUT)?

Sure, specifying "BIND_TIMELIMIT 10" in /etc/sudo-ldap.conf (Ubuntu) does not help.
First Last Prev Next    This bug is not in your last search results.