Bug 2053153

Summary: p11_child currently has an infinite timeout
Product: Red Hat Enterprise Linux 8 Reporter: Chance Callahan <ccallaha>
Component: sssdAssignee: sssd-maint
Status: NEW --- QA Contact: sssd-qe
Severity: medium Docs Contact:
Priority: unspecified    
Version: 8.5CC: adam.winberg, atikhono, grajaiya, lslebodn, mzidek, pbrezina, tscherf, vvanhaft
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Chance Callahan 2022-02-10 15:51:34 UTC
Description of problem:

p11_child currently has an infinite timeout which is causing OCSP requests to fail on semi-disconnected systems with multi certificates, such as a CAC.

Version-Release number of selected component (if applicable):

OS: Red Hat Enterprise Linux release 8.5 (Ootpa)
SSSD: sssd-2.5.2-2.el8_5.3.x86_64 
p11-kit: p11-kit-0.23.22-1.el8.x86_64

How reproducible:

Consistently.

Steps to Reproduce:
1. Prepare system for smart card login with a CAC.
2. Disconnect from the network
3. Attempt to login.

Actual results:

The certificate menu is presented even though the cert is specified, and login fails after PIN entry.

Expected results:

The system skips the OCSP check (if configured) due to connection timeout and proceeds onward.

Comment 2 Alexey Tikhonov 2022-02-10 17:18:35 UTC
(In reply to Chance Callahan from comment #0)
> Description of problem:
> 
> p11_child currently has an infinite timeout

Remark: specifically `query_responder()` is executed with "req_timout == -1".
https://github.com/SSSD/sssd/blob/bf9deea19bafa6a4a10457e5fa86f295ebe94fe1/src/p11_child/p11_child_openssl.c#L290
https://github.com/SSSD/sssd/blob/bf9deea19bafa6a4a10457e5fa86f295ebe94fe1/src/p11_child/p11_child_openssl.c#L49


> How reproducible:
> 
> Consistently.
> 
> Steps to Reproduce:
> 1. Prepare system for smart card login with a CAC.
> 2. Disconnect from the network

JFTR: this will not necessarily reproduce an issue.
Moreover, I expect a real "disconnect" will not reproduce this.
To reproduce one needs something like a firewall rule to drop all packets outgoing to OCSP server, so that TCP connection is stuck for a long time.