Regarding backport fix of https://github.com/FreeRADIUS/freeradius-server/issues/3501 to 3.0.x branches.

saurabha badhai saurabha.badhai at gmail.com
Tue Jun 6 09:34:37 UTC 2023 

I mean the below part:

 /*
                 *      FIXME:* connect() is blocking!*
                 *      We do this with the proxy mutex locked, which may
                 *      cause large delays!
                 *
                 *
http://www.developerweb.net/forum/showthread.php?p=13486
                 */
                this->fd = *fr_socket_client_tcp*(&home->src_ipaddr,
                                                &home->ipaddr, home->port,
*false*);


Thanks,
Saurabha

On Tue, Jun 6, 2023 at 2:49 PM saurabha badhai <saurabha.badhai at gmail.com>
wrote:

> Yes I am using RADSEC which uses TLS. I see in TLS establishment procedure
> first part is TCP connection and then starts TLS handshake to make a secure
> connection.
>
> I am facing an issue in the first part in TCP connect, thread get stuck
> here in *fr_socket_client_tcp and *does not come out for 2 mins if AAA
> server is down or network is unavailable which impacts other radius
> messages to process around that time. This blocks the complete server to
> process any message.
>
> My doubt is whether this TCP blocking for 2 mins before the TLS handshake
> procedure gets fixed with this TLS non-blocking PRs ?
>
> Thanks,
> Saurabha
>
> On Tue, Jun 6, 2023 at 11:32 AM Alan DeKok <aland at deployingradius.com>
> wrote:
>
>> On Jun 6, 2023, at 7:57 AM, saurabha badhai <saurabha.badhai at gmail.com>
>> wrote:
>> >
>> > Yes got it, so in TLS connection, TCP connect can be used as
>> non-Blocking
>> > mode now with the PR #5013 without any issue, Could you please  confirm
>> ?
>>
>>   If you read the code, you'll see that bare TCP cannot be used in
>> non-blocking mode.
>>
>>   The non-blocking code uses the internal TLS buffers to write data when
>> the TCP connection is blocked.  Those TLS buffers don't exist for
>> RADIUS/TCP.  So they're not used.
>>
>>   In short: don't use RADIUS/TCP.  It's insecure.  It offers no value
>> over RADIUS/UDP, or RADIUS/TLS.
>>
>>   Just use RADIUS/TLS.
>>
>>   Alan DeKok.
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/devel.html
>>
>

More information about the Freeradius-Devel mailing list