IO17669: Configurable ldap client ssl timeout

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • SSL/TLS connections initiated by IDS Client based applications
    may fail due to ssl handshake timeout conditions. Currently the
    IDS clients/library do not provide any method to configure this
    client side SSL handshake timeout.
    
    These ssl timeout failures generate error code 406(GSK_ERROR_IO)
    entries within the IDS ldap client trace.
    
    067:02:20:16 T3048 ssl_read: -----> Entering ssl_read
    067:02:20:21 T3048 Error - ssl_read: select timed out after:
     5.000000 sec
    067:02:20:21 T3048 ssl_read: rc=-1
    067:02:20:21 T3048 In ldap_start_tls_s_np():
     gsk_secure_soc_init() rc=406 GSK_ERROR_IO
    067:02:20:21 T3048 ldap_err2string: err(116)
    
    In some cases the error may be seen during ssl_write:
       Error - ssl_write: select timed out after: 5.000000 sec
       ssl_write: rc=-1
    
    Other trace entries will indicate whether or not the timeout
    is within the ssl handshake process or within the ssl data I/O
    process.
    
    The following trace entry indicates that the timeout occurred
    within the ssl or tls handshake process.
    
       ... : gsk_secure_soc_init() rc=406 GSK_ERROR_IO
    

Local fix

  • For client side ssl handshake timeout failures the only work
    around is to resolve the reason for the long ssl handshake time.
    If the server side of the connectione does some form of remote
    lookup (e.g.: crl checking on a remote system) this may result
    in the operation hanging or timing out after 5 seconds.
    

Problem summary

  • Added an environment variable to control the client side
    ssl handshake timeout value:
        IDS_SSL_CLIENT_HANDSHAKE_TIMEOUT_MILLISECS
    
    The default timeout for client side ssl handshake is 5 seconds.
    To override the default value set the environment variable
    IDS_SSL_CLIENT_HANDSHAKE_TIMEOUT_MILLISECS to desired number of
    milli-seconds.
    
    e.g: To set the client side ssl handshake timeout to 10 seconds.
    On Unix platforms:
      export IDS_SSL_CLIENT_HANDSHAKE_TIMEOUT_MILLISECS=10000
    
    On Windows:
      set IDS_SSL_CLIENT_HANDSHAKE_TIMEOUT_MILLISECS=10000
    
    Restart the IDS client based application from the same shell in
    which the above environment variable is set.
    

Problem conclusion

  • The fix for this APAR will be contained in the following
    maintenance packages:
    | interim fix | 6.2.0.27-ISS-ITDS-IF0027 |
    

Temporary fix

Comments

APAR Information

  • APAR number

    IO17669

  • Reported component name

    IBM TIV DIR SER

  • Reported component ID

    5724J3960

  • Reported release

    620

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2012-11-30

  • Closed date

    2013-01-23

  • Last modified date

    2013-01-23

  • APAR is sysrouted FROM one or more of the following:

    IO17647

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    IBM TIV DIR SER

  • Fixed component ID

    5724J3960

Applicable component levels

  • R620 PSY

       UP



Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

IBM Security Directory Server
General

Software version:

620

Reference #:

IO17669

Modified date:

2013-01-23

Translate my page

Machine Translation

Content navigation