return ret;
}
+/* XXX XXX This is black magic. "Sometimes" server refuses the client with SSL
+ * * alert "certificate expired" even if it is not true. In this case the server
+ * * slave terminates (which helps, usually), and we can reconnect transparently.
+ * */
+
+/* This string appears in the error message in this case */
+#define _EXPIRED_ALERT_MESSAGE "function SSL3_READ_BYTES: sslv3 alert certificate expired"
+#define _EXPIRED_ALERT_RETRY_COUNT 10 /* default number of slaves, hope that not all
+ are in the bad state */
+#define _EXPIRED_ALERT_RETRY_DELAY 10 /* ms */
+
int
edg_wll_gss_connect(gss_cred_id_t cred, char const *hostname, int port,
struct timeval *timeout, edg_wll_GssConnection *connection,
gss_name_t server = GSS_C_NO_NAME;
gss_ctx_id_t context = GSS_C_NO_CONTEXT;
char *servername = NULL;
+ int retry = _EXPIRED_ALERT_RETRY_COUNT;
maj_stat = min_stat = min_stat2 = req_flags = 0;
/* XXX if cred == GSS_C_NO_CREDENTIAL set the ANONYMOUS flag */
+ do { /* XXX: the black magic above */
+
/* XXX prepsat na do {} while (maj_stat == CONT) a osetrit chyby*/
while (!context_established) {
/* XXX verify ret_flags match what was requested */
/* XXX check ret_flags matches to what was requested */
+ /* retry on false "certificate expired" */
+ if (ret == EDG_WLL_GSS_ERROR_GSS) {
+ edg_wll_GssStatus gss_stat;
+ char *msg = NULL;
+
+ gss_stat.major_status = maj_stat;
+ gss_stat.minor_status = min_stat;
+ edg_wll_gss_get_error(&gss_stat,"",&msg);
+
+ if (strstr(msg,_EXPIRED_ALERT_MESSAGE)) {
+ usleep(_EXPIRED_ALERT_RETRY_DELAY);
+ retry--;
+ }
+ else retry = 0;
+
+ free(msg);
+ }
+ else retry = 0;
+
+ } while (retry);
+
memset(connection, 0, sizeof(*connection));
connection->sock = sock;
connection->context = context;
git://scientific.zcu.cz / jra1mw.git / commitdiff