Using nsslapd-ioblocktimeout settings to avoid / minimize SSL potential hangs
By marcos on Mar 26, 2008
It is not unusual to experiment DS SSL related hangs when the DS instance receives non-conformant or unfinished / incomplete SSL payloads. This is been the default behaviour of the NSS security component which runs inside the DS 5.2 product suite. This is not an NSS bug, it is just the appropriate way to handle SSL payloads as explained via bug 6524411. The unlucky side effect of such behaviour is the arrival of SSL like blocking stacks in the DS side.
One possible way to run into this particular problem appears when the customer's client applications layer is changed and migrated to a vanilla DPS6.2 centric architecture. Such vanilla version of DPS contributes to generate incomplete SSL negotiation / handshaking that ultimately lead to the DS SSL hangs experienced.
Fortunately, DPS6.3 and several hotfixes on top of DPS6.2 (like 6.2_KS_6561157_6618078_6626995_6570523_6630730_6561151_6576637_6643701_6661474_6653253) help correcting this behaviour completely.
But if our customers are using other client applications which are also contributing to generate incomplete SSL negotiation / handshaking, then our DS instances will suffer this problem due to these other client applications.
The only single workaround that can be applied in the DS side to mitigate these undesired effects caused by misbehaving client applications on this area is the reduction of the nsslapd-ioblocktimeout configuration parameter, which is the only one parameter who is capable of closing down a connection for which a DS internal thread is being kept blocked.
Our opinion is that configuring this parameter to a low value (10-15 seconds as as opposed to the 30 minute or 3 minute default depending on the DS versions) will allow to reduce future NSS blocking stacks from future misbehaving client applications that could be introduced in the topology.
To low down the current ioblocktimeout setttings, the procedure below would need to be applied to each replica in the topology:
1) ldapsearch -h -p -D -w -b "cn=config" -s base objectclass=\* nsslapd-ioblocktimeout
2) Verify that it is currently configured to 30 minutes (1800000) or 3 minutes (180000)
3) set ioblocktimeout to 15 seconds. This can be done
3.1) either offline:
3.1.1) Stop the server
3.1.2) Edit dse.ldif: Under cn=config entry, set ioblocktimeout to 15 seconds (15000)
3.1.3) Restart the server
3.2) or online:
3.2.1) ldapmodify -h -p -D -w
3.2.2) check whether hangs disappear, if they don't you may need to restart the DS for
the new value to be taken into account.