From 646d916974792525ffd0644f262f12b51e95f14f Mon Sep 17 00:00:00 2001 From: =?utf8?q?Ale=C5=A1=20K=C5=99enek?= Date: Thu, 7 Dec 2006 13:49:01 +0000 Subject: [PATCH] retry connecting on false alert "certificate expired" --- org.glite.security.gsoap-plugin/src/glite_gss.c | 35 +++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/org.glite.security.gsoap-plugin/src/glite_gss.c b/org.glite.security.gsoap-plugin/src/glite_gss.c index d50832e..b2e4d31 100644 --- a/org.glite.security.gsoap-plugin/src/glite_gss.c +++ b/org.glite.security.gsoap-plugin/src/glite_gss.c @@ -587,6 +587,17 @@ end: return ret; } +/* XXX XXX This is black magic. "Sometimes" server refuses the client with SSL + * * alert "certificate expired" even if it is not true. In this case the server + * * slave terminates (which helps, usually), and we can reconnect transparently. + * */ + +/* This string appears in the error message in this case */ +#define _EXPIRED_ALERT_MESSAGE "function SSL3_READ_BYTES: sslv3 alert certificate expired" +#define _EXPIRED_ALERT_RETRY_COUNT 10 /* default number of slaves, hope that not all + are in the bad state */ +#define _EXPIRED_ALERT_RETRY_DELAY 10 /* ms */ + int edg_wll_gss_connect(gss_cred_id_t cred, char const *hostname, int port, struct timeval *timeout, edg_wll_GssConnection *connection, @@ -600,6 +611,7 @@ edg_wll_gss_connect(gss_cred_id_t cred, char const *hostname, int port, gss_name_t server = GSS_C_NO_NAME; gss_ctx_id_t context = GSS_C_NO_CONTEXT; char *servername = NULL; + int retry = _EXPIRED_ALERT_RETRY_COUNT; maj_stat = min_stat = min_stat2 = req_flags = 0; @@ -632,6 +644,8 @@ edg_wll_gss_connect(gss_cred_id_t cred, char const *hostname, int port, /* XXX if cred == GSS_C_NO_CREDENTIAL set the ANONYMOUS flag */ + do { /* XXX: the black magic above */ + /* XXX prepsat na do {} while (maj_stat == CONT) a osetrit chyby*/ while (!context_established) { /* XXX verify ret_flags match what was requested */ @@ -673,6 +687,27 @@ edg_wll_gss_connect(gss_cred_id_t cred, char const *hostname, int port, /* XXX check ret_flags matches to what was requested */ + /* retry on false "certificate expired" */ + if (ret == EDG_WLL_GSS_ERROR_GSS) { + edg_wll_GssStatus gss_stat; + char *msg = NULL; + + gss_stat.major_status = maj_stat; + gss_stat.minor_status = min_stat; + edg_wll_gss_get_error(&gss_stat,"",&msg); + + if (strstr(msg,_EXPIRED_ALERT_MESSAGE)) { + usleep(_EXPIRED_ALERT_RETRY_DELAY); + retry--; + } + else retry = 0; + + free(msg); + } + else retry = 0; + + } while (retry); + memset(connection, 0, sizeof(*connection)); connection->sock = sock; connection->context = context; -- 1.8.2.3