From owner-svn-src-projects@freebsd.org Tue Jun 30 16:20:56 2020 Return-Path: Delivered-To: svn-src-projects@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 6D68434FA6F for ; Tue, 30 Jun 2020 16:20:56 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from CAN01-QB1-obe.outbound.protection.outlook.com (mail-qb1can01on060d.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe5c::60d]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "GlobalSign Organization Validation CA - SHA256 - G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 49x8jg4R25z4ckB; Tue, 30 Jun 2020 16:20:55 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=eBWFtAyTDzK/MwY6CuFnlsb5aMrfe97sOsGRWJD+AHCjXxJ6AxqIoCRzK1oUwLvWklAVG5KPgYYRXKXXaiFH1c8v0ChGz3DZ5s7VhkFzMJMLYQXXuBhZtJ3x4Y7KLtdCyezNRaurgcV92QHnlUjcTSSlk7K/NR4r39Q+ovFm8heBLn/oIZsDCXrT6X2e2MabFF9q7qMzMiK09NQ3gEi6rC/BiGNmF/hj4n9hHINB6nHmGRVryBNSvIcimKUlDTCT2S3/f5apphCKCcIOjjFkSSssoUd1xO19WEqjlChS62SYL1kAfIjMioOWFTY6rjYewW9PisGQW/iXofDUS5JPfA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jL92JZ/wNg+UqKE7RhgkTAKb40HQmWmTNsIwAEeWGmI=; b=OeHFVXKe3KqERb/JB9YDJkra0JjDSKSVIaZ3317dkFsR7TYgQqgLV6cdJFo9XVupiHIN6wolO9zfN03v4Kd9rxY77AYKmdZ4bsizOOekZe80Lcfxk88X0snHAtuQp08N2uR0TXUlAfZUBJrZL9unFHJwxJwp+H9AcCllM+rLJ8H1IAzz6corUZ+o2cKY833LygW9yzVBIgBwedwK0qdKcVFeqmg+uimQUCe3YYC80cO9X6utSzy6ZJSp8mbrSMPdLNTgem5Yyzzez595Mqn5aQJjq/yNSQ+rZE004bJX4nRW3iTgK2sXev5zmsSIEaXvZYgday9CK9um8okCfV0VMg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=uoguelph.ca; dmarc=pass action=none header.from=uoguelph.ca; dkim=pass header.d=uoguelph.ca; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=uoguelph.ca; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jL92JZ/wNg+UqKE7RhgkTAKb40HQmWmTNsIwAEeWGmI=; b=pyBVMo9/FAYWqEAQS+opcYEDwe46ayqVTj28un7oXlrGU/jUClhR8ky2TaoMW7/jFKFCURkw9Vze1BDfn6uCHPDBffzYpkka+3OdiLLJPwM+3O69BR8BKFjOujcMbUuFW7s4ZZrnm3/eArspcieu+ueCpvJotbX2KFDpKbGwbaos1EjXYFOLW6CLNDQYSmnnt/yocxGOOpo0veDGhPyxJiBYXgnB+cTIirIxm7mYpghuS0Q7C5FbsL/g/5snbkpgn5788kr+xLvyfiWgWKnL1Nc2rJAQnqoa6MrfCVIKBVormH6qpkJU+0fkBX5d4PT/OA0ZBMydkg6T4GnHTyt+qg== Received: from QB1PR01MB3364.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:c00:38::14) by QB1PR01MB2883.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:c00:32::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3131.23; Tue, 30 Jun 2020 16:20:53 +0000 Received: from QB1PR01MB3364.CANPRD01.PROD.OUTLOOK.COM ([fe80::60f3:4ca2:8a4a:1e91]) by QB1PR01MB3364.CANPRD01.PROD.OUTLOOK.COM ([fe80::60f3:4ca2:8a4a:1e91%7]) with mapi id 15.20.3131.028; Tue, 30 Jun 2020 16:20:45 +0000 From: Rick Macklem To: Benjamin Kaduk , Rick Macklem CC: src-committers , "svn-src-projects@freebsd.org" Subject: Re: svn commit: r362798 - in projects/nfs-over-tls/sys/rpc: . rpcsec_tls Thread-Topic: svn commit: r362798 - in projects/nfs-over-tls/sys/rpc: . rpcsec_tls Thread-Index: AQHWTu29MoFCP0YO4kaq4Sj4aYWIUajxUeOAgAAARmw= Date: Tue, 30 Jun 2020 16:20:45 +0000 Message-ID: References: <202006301449.05UEnq2x072917@repo.freebsd.org>, In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: f4b42c31-df54-4918-6003-08d81d118aec x-ms-traffictypediagnostic: QB1PR01MB2883: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:9508; x-forefront-prvs: 0450A714CB x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: h388b4tt1+wwcwQzGHeVbi0B7hD/vLCEuiJAvWWVHgQvmx4ihjGbU87dfHWbyPyHiraaCL1NoP1D2q0yVRip+YPIm2W8baZX0kuJTkWvEVjqBfVzq8TKIglLXkFwwYPZBKdfCbEhOIsM6iIlkXgdmi9mDjNOj5O2FSDJooo0Mk/8gbf1KHHe9B41VFNPxlI/MXOKhjh7l3Q69lQb/ywvYU3EVld6kjPrbNAe714mbLpLsA+/ny0pS+PfgJubwjd9zIuFdMp9QPsY2+SAr4odmznAfr5EDqO6dhkbQVmByV+Y8H6T3XJuS8MjuizvSSQsNtzEI+2Vvy408H73+ogLs5/UQWtjieGgREmZ1IOCsNu7jfI4uJPDrvtULrE/GNnGwJkbzWCTkFDiNEB5kmmiqA== x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:QB1PR01MB3364.CANPRD01.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFTY:; SFS:(39860400002)(136003)(376002)(366004)(396003)(346002)(8676002)(71200400001)(478600001)(86362001)(91956017)(52536014)(8936002)(966005)(786003)(7696005)(2906002)(316002)(9686003)(66946007)(6506007)(5660300002)(76116006)(4326008)(66446008)(54906003)(64756008)(83380400001)(66476007)(110136005)(55016002)(33656002)(186003)(66556008); DIR:OUT; SFP:1101; x-ms-exchange-antispam-messagedata: YY1bNVF87Tenp+6G5m74p9G16LRaq+2kDjFwEMlW4oIf6kW0+nMaZrM3hjlilFVadWBAfvFygkfp4s2H9FQarZy4MG7oquZECPyAQQUPI0PRPb65uso/G0/eYurwAm4/+Ya0qO8CSF0P2yw7S7UbqFlQL4XdIAJ6RR7vuN7ic3BFX3KHk3QX1ukp/okRvJS9ETKDE3gXWDI9MbdeYU1MwF9wwi2UixWiYSlpXM9Xk9EGVqUYgWBkiOBhq4ljVGODIt+3/2gNYP5d6A5gbnz0AqsI3tZDpfByXbEXcd1jhPEkFT+Sz8jgerdLQbQpTtyMjQq1VvwqAzithDYPrv2qeFVz852xGIqbHUyoaXGb6qqCkcFoIqvijd9bcfqEFFlSMCO1vhqNLkfv5W3V9LoO4jiflstu0B3+QfpgzEk6i/uTJduKj6AQPGgPyoIqape6agQ0ioeTaTuVWhxVhQ2XUY2HtmUPZxOIxmuD7klZQYZsRrlHLFSLEVPVgyV4A0BoqZ8wrPeZ0gUbYPWWw6k6omPB6v0gjKXKvXMACee+ewA= x-ms-exchange-transport-forked: True Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: uoguelph.ca X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: QB1PR01MB3364.CANPRD01.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-Network-Message-Id: f4b42c31-df54-4918-6003-08d81d118aec X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Jun 2020 16:20:45.4811 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: be62a12b-2cad-49a1-a5fa-85f4f3156a7d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: Q5vwaZL+kiAtgXt84Y0UE2FOxRg4/pjGaJu76kdg0y6k5GkfI6M/Zkt0cBv/IWZGQA4ds8tDd4BgX7OSDkD3Lg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: QB1PR01MB2883 X-Rspamd-Queue-Id: 49x8jg4R25z4ckB X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=uoguelph.ca header.s=selector1 header.b=pyBVMo9/; dmarc=none; spf=pass (mx1.freebsd.org: domain of rmacklem@uoguelph.ca designates 2a01:111:f400:fe5c::60d as permitted sender) smtp.mailfrom=rmacklem@uoguelph.ca X-Spamd-Result: default: False [-5.91 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[]; NEURAL_HAM_MEDIUM(-0.99)[-0.987]; R_DKIM_ALLOW(-0.20)[uoguelph.ca:s=selector1]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2a01:111:f400::/48]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[uoguelph.ca]; NEURAL_HAM_LONG(-1.04)[-1.039]; DWL_DNSWL_LOW(-1.00)[uoguelph.ca:dkim]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[uoguelph.ca:+]; NEURAL_HAM_SHORT(-1.39)[-1.387]; FREEMAIL_TO(0.00)[gmail.com,FreeBSD.org]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:8075, ipnet:2a01:111:f000::/36, country:US]; ARC_ALLOW(-1.00)[microsoft.com:s=arcselector9901:i=1] X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Jun 2020 16:20:56 -0000 Benjamin Kaduk wrote:=0A= >On Tue, Jun 30, 2020 at 7:49 AM Rick Macklem > wrote:=0A= >Author: rmacklem=0A= >Date: Tue Jun 30 14:49:51 2020=0A= >New Revision: 362798=0A= >URL: https://svnweb.freebsd.org/changeset/base/362798=0A= >=0A= >Log:=0A= > Testing when a server does not respond to TLS handshake records exposed= =0A= > a couple of problems, since the daemon would be in SSL_connect() for 6 m= inutes.=0A= >=0A= > - When the upcall timed out and was retried, the RPCTLS_SYSC_CLSOCKET sy= scall=0A= > was broken and did not return an error upon a retry. It allocated a fi= le=0A= > descriptor for a NULL socket.=0A= > - The socket structure in the kernel could be free'd while the daemon wa= s=0A= > still using it in SSL_connect().=0A= > - Adjust the timeout a retry count so that upcalls are only attempted on= ce=0A= > with a 10minute timeout.=0A= >=0A= >=0A= >10 minutes seems really long! It sounds from the description like the upc= all so >that=0A= >userspace can run SSL_connect() was taking 6 minutes, and you needed 10 >m= inutes so=0A= >as to be longer than the 6 minutes that is "out of your control"?=0A= Well, I think a long timeout here is ok, since a timeout indicates a broken= daemon.=0A= (The upcalls to the local daemon should be reliable and cannot safely be re= done.=0A= In a perfect world, the upcall mechanism would be "exactly once" instead o= f=0A= "at least once". I think an upcall might fail when the mbuf pool in the ke= rnel=0A= is exhausted, but that should be rare.)=0A= =0A= >I feel like there should be some sockopts available to get the SSL_connect= () timeout=0A= >down, so that the upcall timeout doesn't need to be so long, either.=0A= Yes, 6 minutes does seem like a long time. I only discovered this yesterday= when=0A= I simulated a server that did not respond to handshake records.=0A= =0A= I haven't yet dug into the openssl code to see if there is a way to adjust = this=0A= timeout.=0A= I also do not know what a good timeout value for SSL_connect() might be,=0A= even if the daemon can override the default.=0A= =0A= In practice, this should only happen when trying to do an NFS mount on=0A= a broken server which responds to the "STARTTLS" Null RPC, but does not=0A= do the handshake.=0A= Having the mount attempt stuck for 6minutes before failing is not that seri= ous=0A= a problem, imho.=0A= (When systems boot after something like a power failure, delays getting NFS= =0A= mounts done, due to the NFS server/network needing to be up, is fairly=0A= normal. The "-b" option to put the mount attempt in background has been=0A= around for a long time for this.)=0A= =0A= If you happen to know how to set a timeout for SSL_connect() in the openssl= =0A= library, I would be interested in hearing that.=0A= =0A= rick=0A= =0A= -Ben=0A=