Running into a problem at here at work where we have a daemon process that was converted to use BIO's for SSL support. Since then we are occassionally seeing a problem where if a subprocess executed manages to hang, closing down the daemon and restarting it will run into a problem with binding to the port.
My suspicion is that when we create the socket connections to listen on using the BIO functions that because we are not setting the FD_CLOEXEC on the socket any executed subprocess also see's this socket, so that when the close is issued, the socket doesn't actually close down fully or enter the TIME_WAIT state until there is a timeout. I assuming this based on the description of what FD_CLOEXEC does in the man page of fcntl. Basically it sayes that if the FD_CLOEXEC bit is 0, the fd will remain open across an execve, otherwise it will be closed. Looking at version of the code when it wasn't using encryption, I can see that we were setting this on the socket "fcntl(sock, F_SETFD, FD_CLOEXEC)". Now obviously I need to do better in closing down any subprocess (children or other exec'ed programs), but I'm going to be in full control of all the other process that could be executed, so preventing the fd from remaining open across them is still probably the right thing to do. Currently the code is written so that the creation of the socket and binding is done using BIO_new_accept, BIO_set_bind_mode and BIO_do_accept. So far it's not clear to me on whether it's then posible to get a valid fd that can be used with fcntl to set the FD_CLOEXEC bit. Is there something I'm missing or should I be looking at creating and binding using socket, setsockopt, fcntl, and bind to set the behaviour needed on the socket and then use BIO_new_socket to setup the BIO? -- Regards, Darragh Bailey Systems Software Engineer Hewlett Packard Galway Ltd. Postal Address: Hewlett Packard Galway Limited, Ballybrit Business Park, Galway Registered Office: Hewlett Packard Galway Limited, 63-74 Sir John Rogerson's Quay Dublin 2 Registered Number: 361933 ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
