Re: [pcp] Secure sockets builds have high daemon memory utilisation

To:	Dave Brolley <brolley@xxxxxxxxxx>
Subject:	Re: [pcp] Secure sockets builds have high daemon memory utilisation
From:	Nathan Scott <nathans@xxxxxxxxxx>
Date:	Tue, 19 Aug 2014 03:20:15 -0400 (EDT)
Cc:	pcp@xxxxxxxxxxx
Delivered-to:	pcp@xxxxxxxxxxx
In-reply-to:	<53F245A1.2070003@xxxxxxxxxx>
References:	<1896810420.23212457.1402370819966.JavaMail.zimbra@xxxxxxxxxx> <5397573A.90102@xxxxxxxxxx> <53EBCCEB.2030604@xxxxxxxxxx> <1306085089.30466668.1408001833620.JavaMail.zimbra@xxxxxxxxxx> <53F245A1.2070003@xxxxxxxxxx>
Reply-to:	Nathan Scott <nathans@xxxxxxxxxx>
Thread-index:	E33/1/OrU8ucF9yxX9FTji7oQy23bA==
Thread-topic:	Secure sockets builds have high daemon memory utilisation

Hi Dave,

----- Original Message -----
> > [...]
> > Perhaps a new error code (as in "pmerr -l") could be introduced to give a
> > more meaningful message than ECONNRESET on that first failure?  ISTR we
> > end up with ECONNRESET in alot of cases via NSS/SSL which made debugging
> > quite tricky ... so distinguishing more cases would be good.  Relatively
> > simple then - no need for retries, protocol tweaking, etc.
> >
> That would be great, but I'm not quite sure how to accomplish this.
> Please correct me if I'm misunderstanding the way the client/pmcd
> handshake works.

(Yep, that description matches my understanding too)

> The problem is that client has connected and the server
> has responded with an extended error pdu claiming that it supports
> secure sockets. The client the sends its credentials including its
> intention to connect securely. At this point, both side attempt to
> upgrade their sockets to secure ones, each expecting the other to
> succeed and both initiate the SSL handshake. It is at this point that
> the server fails to initialize NSS and drops its side of the connection.

Ah, does the NSS code swallow whatever error pmcd sends back?  At the
point where NSS_Init (or subsequent SSL calls) fail, I was thinking we
would have an opportunity to capture that error and propogate it to
the client via an error PDU (when the client next read()s it'll get it
even if its slightly later in the exchange) before we close the socket.

But if NSS eats that error code and always does a connection reset (?),
we are in strife... is that what happens? - there's no opportunity to
send an error PDU before we close the connection?

BTW, I notice there's a bunch of SSL_ERROR_* (incl NO_CERTIFICATE which
was your example situation IIRC?) over in <nss3/sslerr.h> - those would
seem like ideal things to be sending back, instead of new PMAPI error
codes ... (pmErrStr_r supports these already) - just need to find a way
to get pmcd to send that pesky error PDU.

> I don't see an opportunity for the server to indicate that it was unable
> to upgrade to a secure socket.

I thought pmcd would be able to send an error PDU before it closes the
socket ... (and a non-connection-reset code should appear on next read)
- that didn't work?

cheers.

--
Nathan

<Prev in Thread]	Current Thread	[Next in Thread>
Re: [pcp] Secure sockets builds have high daemon memory utilisation, Dave Brolley Re: [pcp] Secure sockets builds have high daemon memory utilisation, Nathan Scott Re: [pcp] Secure sockets builds have high daemon memory utilisation, Dave Brolley Re: [pcp] Secure sockets builds have high daemon memory utilisation, Nathan Scott <= Re: [pcp] Secure sockets builds have high daemon memory utilisation, Dave Brolley Re: [pcp] Secure sockets builds have high daemon memory utilisation, Nathan Scott

Previous by Date:	pcpfans fche/pmmgr changes for review, Frank Ch. Eigler
Next by Date:	Re: [pcp] Secure sockets builds have high daemon memory utilisation, Dave Brolley
Previous by Thread:	Re: [pcp] Secure sockets builds have high daemon memory utilisation, Dave Brolley
Next by Thread:	Re: [pcp] Secure sockets builds have high daemon memory utilisation, Dave Brolley
Indexes:	[Date] [Thread] [Top] [All Lists]