From: Vadim Cargatser Date: Wed, 24 Mar 2021 15:22:25 +0000 (+0200) Subject: Looks like there is bug in tls code w/ fr_nonblock X-Git-Tag: release_3_0_22~130 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8939e793b68bf9dc770fd7db6aeb851bedbaa515;p=thirdparty%2Ffreeradius-server.git Looks like there is bug in tls code w/ fr_nonblock With that RADSEC is not working at all. The issue is in this commit: https://github.com/FreeRADIUS/freeradius-server/commit/b6d7249be1958d0080187846d8bab1f0fae6b857 it pretends to revert erroneously deleted lines from another commit: https://github.com/FreeRADIUS/freeradius-server/commit/f9c2f5a55d2df71979d99708f83d52336e44ad00 The thing is that it is not only reverting deleted lines, it also adds fr_nonblock(fd) call in tls_new_client_session. Was that done by mistake? With that SSL_connect exits immediately while we are trying to send initial Access-Request packet in proxy_tls_send. Of course at the this time the handshake is not yet finished and SSL_connect returns with an error. SSL_connect will return success just on the following reads in proxy_tls_recv. But here we are in the recv callback, handlshake is done... so what, we don't have any packet to send. I have deleted this fr_nonblock(fd) call meanwhile. --- diff --git a/src/main/tls.c b/src/main/tls.c index 377deca08f..7d73ab13a3 100644 --- a/src/main/tls.c +++ b/src/main/tls.c @@ -539,7 +539,6 @@ tls_session_t *tls_new_client_session(TALLOC_CTX *ctx, fr_tls_server_conf_t *con SSL_set_ex_data(ssn->ssl, FR_TLS_EX_INDEX_SSN, (void *)ssn); if (certs) SSL_set_ex_data(ssn->ssl, fr_tls_ex_index_certs, (void *)certs); - fr_nonblock(fd); SSL_set_fd(ssn->ssl, fd); ret = SSL_connect(ssn->ssl);