From: Aleš Křenek Date: Thu, 7 Dec 2006 13:49:01 +0000 (+0000) Subject: retry connecting on false alert "certificate expired" X-Git-Tag: glite-security-gsoap-plugin_R_1_2_5~1 X-Git-Url: http://scientific.zcu.cz/git/?a=commitdiff_plain;h=646d916974792525ffd0644f262f12b51e95f14f;p=jra1mw.git retry connecting on false alert "certificate expired" --- diff --git a/org.glite.security.gsoap-plugin/src/glite_gss.c b/org.glite.security.gsoap-plugin/src/glite_gss.c index d50832e..b2e4d31 100644 --- a/org.glite.security.gsoap-plugin/src/glite_gss.c +++ b/org.glite.security.gsoap-plugin/src/glite_gss.c @@ -587,6 +587,17 @@ end: return ret; } +/* XXX XXX This is black magic. "Sometimes" server refuses the client with SSL + * * alert "certificate expired" even if it is not true. In this case the server + * * slave terminates (which helps, usually), and we can reconnect transparently. + * */ + +/* This string appears in the error message in this case */ +#define _EXPIRED_ALERT_MESSAGE "function SSL3_READ_BYTES: sslv3 alert certificate expired" +#define _EXPIRED_ALERT_RETRY_COUNT 10 /* default number of slaves, hope that not all + are in the bad state */ +#define _EXPIRED_ALERT_RETRY_DELAY 10 /* ms */ + int edg_wll_gss_connect(gss_cred_id_t cred, char const *hostname, int port, struct timeval *timeout, edg_wll_GssConnection *connection, @@ -600,6 +611,7 @@ edg_wll_gss_connect(gss_cred_id_t cred, char const *hostname, int port, gss_name_t server = GSS_C_NO_NAME; gss_ctx_id_t context = GSS_C_NO_CONTEXT; char *servername = NULL; + int retry = _EXPIRED_ALERT_RETRY_COUNT; maj_stat = min_stat = min_stat2 = req_flags = 0; @@ -632,6 +644,8 @@ edg_wll_gss_connect(gss_cred_id_t cred, char const *hostname, int port, /* XXX if cred == GSS_C_NO_CREDENTIAL set the ANONYMOUS flag */ + do { /* XXX: the black magic above */ + /* XXX prepsat na do {} while (maj_stat == CONT) a osetrit chyby*/ while (!context_established) { /* XXX verify ret_flags match what was requested */ @@ -673,6 +687,27 @@ edg_wll_gss_connect(gss_cred_id_t cred, char const *hostname, int port, /* XXX check ret_flags matches to what was requested */ + /* retry on false "certificate expired" */ + if (ret == EDG_WLL_GSS_ERROR_GSS) { + edg_wll_GssStatus gss_stat; + char *msg = NULL; + + gss_stat.major_status = maj_stat; + gss_stat.minor_status = min_stat; + edg_wll_gss_get_error(&gss_stat,"",&msg); + + if (strstr(msg,_EXPIRED_ALERT_MESSAGE)) { + usleep(_EXPIRED_ALERT_RETRY_DELAY); + retry--; + } + else retry = 0; + + free(msg); + } + else retry = 0; + + } while (retry); + memset(connection, 0, sizeof(*connection)); connection->sock = sock; connection->context = context;