Description of problem: p11_child currently has an infinite timeout which is causing OCSP requests to fail on semi-disconnected systems with multi certificates, such as a CAC. Version-Release number of selected component (if applicable): OS: Red Hat Enterprise Linux release 8.5 (Ootpa) SSSD: sssd-2.5.2-2.el8_5.3.x86_64 p11-kit: p11-kit-0.23.22-1.el8.x86_64 How reproducible: Consistently. Steps to Reproduce: 1. Prepare system for smart card login with a CAC. 2. Disconnect from the network 3. Attempt to login. Actual results: The certificate menu is presented even though the cert is specified, and login fails after PIN entry. Expected results: The system skips the OCSP check (if configured) due to connection timeout and proceeds onward.
(In reply to Chance Callahan from comment #0) > Description of problem: > > p11_child currently has an infinite timeout Remark: specifically `query_responder()` is executed with "req_timout == -1". https://github.com/SSSD/sssd/blob/bf9deea19bafa6a4a10457e5fa86f295ebe94fe1/src/p11_child/p11_child_openssl.c#L290 https://github.com/SSSD/sssd/blob/bf9deea19bafa6a4a10457e5fa86f295ebe94fe1/src/p11_child/p11_child_openssl.c#L49 > How reproducible: > > Consistently. > > Steps to Reproduce: > 1. Prepare system for smart card login with a CAC. > 2. Disconnect from the network JFTR: this will not necessarily reproduce an issue. Moreover, I expect a real "disconnect" will not reproduce this. To reproduce one needs something like a firewall rule to drop all packets outgoing to OCSP server, so that TCP connection is stuck for a long time.