From 646d916974792525ffd0644f262f12b51e95f14f Mon Sep 17 00:00:00 2001
From: =?utf8?q?Ale=C5=A1=20K=C5=99enek?= <ljocha@ics.muni.cz>
Date: Thu, 7 Dec 2006 13:49:01 +0000
Subject: [PATCH] retry connecting on false alert "certificate expired"

---
 org.glite.security.gsoap-plugin/src/glite_gss.c | 35 +++++++++++++++++++++++++
 1 file changed, 35 insertions(+)

diff --git a/org.glite.security.gsoap-plugin/src/glite_gss.c b/org.glite.security.gsoap-plugin/src/glite_gss.c
index d50832e..b2e4d31 100644
--- a/org.glite.security.gsoap-plugin/src/glite_gss.c
+++ b/org.glite.security.gsoap-plugin/src/glite_gss.c
@@ -587,6 +587,17 @@ end:
    return ret;
 }
 
+/* XXX XXX This is black magic. "Sometimes" server refuses the client with SSL
+ *  * alert "certificate expired" even if it is not true. In this case the server
+ *   * slave terminates (which helps, usually), and we can reconnect transparently.
+ *    */
+
+/* This string appears in the error message in this case */
+#define _EXPIRED_ALERT_MESSAGE "function SSL3_READ_BYTES: sslv3 alert certificate expired"
+#define _EXPIRED_ALERT_RETRY_COUNT 10   /* default number of slaves, hope that not all
+					                                              are in the bad state */
+#define _EXPIRED_ALERT_RETRY_DELAY 10   /* ms */
+
 int 
 edg_wll_gss_connect(gss_cred_id_t cred, char const *hostname, int port,
 		    struct timeval *timeout, edg_wll_GssConnection *connection,
@@ -600,6 +611,7 @@ edg_wll_gss_connect(gss_cred_id_t cred, char const *hostname, int port,
    gss_name_t server = GSS_C_NO_NAME;
    gss_ctx_id_t context = GSS_C_NO_CONTEXT;
    char *servername = NULL;
+   int retry = _EXPIRED_ALERT_RETRY_COUNT;
 
    maj_stat = min_stat = min_stat2 = req_flags = 0;
 
@@ -632,6 +644,8 @@ edg_wll_gss_connect(gss_cred_id_t cred, char const *hostname, int port,
 
    /* XXX if cred == GSS_C_NO_CREDENTIAL set the ANONYMOUS flag */
 
+   do { /* XXX: the black magic above */
+
    /* XXX prepsat na do {} while (maj_stat == CONT) a osetrit chyby*/
    while (!context_established) {
       /* XXX verify ret_flags match what was requested */
@@ -673,6 +687,27 @@ edg_wll_gss_connect(gss_cred_id_t cred, char const *hostname, int port,
 
    /* XXX check ret_flags matches to what was requested */
 
+   /* retry on false "certificate expired" */
+   if (ret == EDG_WLL_GSS_ERROR_GSS) {
+	   edg_wll_GssStatus	gss_stat;
+	   char	*msg = NULL;
+
+	   gss_stat.major_status = maj_stat;
+	   gss_stat.minor_status = min_stat;
+	   edg_wll_gss_get_error(&gss_stat,"",&msg);
+
+	   if (strstr(msg,_EXPIRED_ALERT_MESSAGE)) {
+		   usleep(_EXPIRED_ALERT_RETRY_DELAY);
+		   retry--;
+	   }
+	   else retry = 0;
+
+	   free(msg);
+   }
+   else retry = 0;
+
+   } while (retry);
+
    memset(connection, 0, sizeof(*connection));
    connection->sock = sock;
    connection->context = context;
-- 
1.8.2.3