From: Aleš Křenek Date: Fri, 8 Dec 2006 12:40:18 +0000 (+0000) Subject: - reload credentials on each new connection X-Git-Tag: glite-lb-server_R_1_3_9~3 X-Git-Url: http://scientific.zcu.cz/git/?a=commitdiff_plain;h=fb955ef04f10dfedf061eb63824728b446d76bd4;p=jra1mw.git - reload credentials on each new connection - terminate server slave on "certificate has expired" -- likely to be false --- diff --git a/org.glite.lb.server/src/bkserverd.c b/org.glite.lb.server/src/bkserverd.c index 1a34af5..215c679 100644 --- a/org.glite.lb.server/src/bkserverd.c +++ b/org.glite.lb.server/src/bkserverd.c @@ -699,17 +699,21 @@ int bk_handle_connection(int conn, struct timeval *timeout, void *data) +/* don't care :-( switch ( edg_wll_gss_watch_creds(server_cert, &cert_mtime) ) { case 0: break; case 1: +*/ if ( !edg_wll_gss_acquire_cred_gsi(server_cert, server_key, &newcred, NULL, &gss_code) ) { dprintf(("[%d] reloading credentials\n", getpid())); gss_release_cred(&min_stat, &mycred); mycred = newcred; - } else { dprintf(("[%d] reloading credentials failed\n", getpid())); } + } else { dprintf(("[%d] reloading credentials failed, using old ones\n", getpid())); } +/* break; case -1: dprintf(("[%d] edg_wll_gss_watch_creds failed\n", getpid())); break; } +*/ if ( edg_wll_InitContext(&ctx) ) { @@ -825,6 +829,12 @@ int bk_handle_connection(int conn, struct timeval *timeout, void *data) ctx->srvPort = ntohs(a.sin_port); } +/* XXX: ugly workaround, we may detect false expired certificated + * probably due to bug in Globus GSS/SSL. Treated as fatal, + * restarting the server solves the problem */ + +#define _EXPIRED_CERTIFICATE_MESSAGE "certificate has expired" + if ( (ret = edg_wll_gss_accept(mycred, conn, timeout, &ctx->connPool[ctx->connToUse].gss, &gss_code)) ) { if ( ret == EDG_WLL_GSS_ERROR_TIMEOUT ) @@ -832,6 +842,13 @@ int bk_handle_connection(int conn, struct timeval *timeout, void *data) dprintf(("[%d] Client authentication failed - timeout reached, closing.\n", getpid())); if (!debug) syslog(LOG_ERR, "Client authentication failed - timeout reached"); } + else if (ret == EDG_WLL_GSS_ERROR_GSS) { + edg_wll_SetErrorGss(ctx,"Client authentication",&gss_code); + if (strstr(ctx->errDesc,_EXPIRED_CERTIFICATE_MESSAGE)) { + edg_wll_FreeContext(ctx); + return -1; + } + } else { dprintf(("[%d] Client authentication failed, closing.\n", getpid()));