Bug 2053153 - p11_child currently has an infinite timeout
Summary: p11_child currently has an infinite timeout
Keywords:
Status: NEW
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: sssd
Version: 8.5
Hardware: Unspecified
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: sssd-maint
QA Contact: sssd-qe
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-02-10 15:51 UTC by Chance Callahan
Modified: 2023-08-14 08:27 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-111914 0 None None None 2022-02-10 16:00:56 UTC
Red Hat Issue Tracker SSSD-4324 0 None None None 2022-02-10 18:58:10 UTC

Description Chance Callahan 2022-02-10 15:51:34 UTC
Description of problem:

p11_child currently has an infinite timeout which is causing OCSP requests to fail on semi-disconnected systems with multi certificates, such as a CAC.

Version-Release number of selected component (if applicable):

OS: Red Hat Enterprise Linux release 8.5 (Ootpa)
SSSD: sssd-2.5.2-2.el8_5.3.x86_64 
p11-kit: p11-kit-0.23.22-1.el8.x86_64

How reproducible:

Consistently.

Steps to Reproduce:
1. Prepare system for smart card login with a CAC.
2. Disconnect from the network
3. Attempt to login.

Actual results:

The certificate menu is presented even though the cert is specified, and login fails after PIN entry.

Expected results:

The system skips the OCSP check (if configured) due to connection timeout and proceeds onward.

Comment 2 Alexey Tikhonov 2022-02-10 17:18:35 UTC
(In reply to Chance Callahan from comment #0)
> Description of problem:
> 
> p11_child currently has an infinite timeout

Remark: specifically `query_responder()` is executed with "req_timout == -1".
https://github.com/SSSD/sssd/blob/bf9deea19bafa6a4a10457e5fa86f295ebe94fe1/src/p11_child/p11_child_openssl.c#L290
https://github.com/SSSD/sssd/blob/bf9deea19bafa6a4a10457e5fa86f295ebe94fe1/src/p11_child/p11_child_openssl.c#L49


> How reproducible:
> 
> Consistently.
> 
> Steps to Reproduce:
> 1. Prepare system for smart card login with a CAC.
> 2. Disconnect from the network

JFTR: this will not necessarily reproduce an issue.
Moreover, I expect a real "disconnect" will not reproduce this.
To reproduce one needs something like a firewall rule to drop all packets outgoing to OCSP server, so that TCP connection is stuck for a long time.


Note You need to log in before you can comment on or make changes to this bug.