From 8665139abd559b535590bd867cae6631c349e856 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Milo=C5=A1=20Mula=C4=8D?= Date: Thu, 18 Jan 2007 12:50:20 +0000 Subject: [PATCH] merge with 3.0 branch (merge_30_31_src2 - merge_30_31_src3) --- org.glite.security.gsoap-plugin/src/glite_gss.c | 35 +++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/org.glite.security.gsoap-plugin/src/glite_gss.c b/org.glite.security.gsoap-plugin/src/glite_gss.c index e13a63d..1bf7fd3 100644 --- a/org.glite.security.gsoap-plugin/src/glite_gss.c +++ b/org.glite.security.gsoap-plugin/src/glite_gss.c @@ -587,6 +587,17 @@ end: return ret; } +/* XXX XXX This is black magic. "Sometimes" server refuses the client with SSL + * * alert "certificate expired" even if it is not true. In this case the server + * * slave terminates (which helps, usually), and we can reconnect transparently. + * */ + +/* This string appears in the error message in this case */ +#define _EXPIRED_ALERT_MESSAGE "function SSL3_READ_BYTES: sslv3 alert certificate expired" +#define _EXPIRED_ALERT_RETRY_COUNT 10 /* default number of slaves, hope that not all + are in the bad state */ +#define _EXPIRED_ALERT_RETRY_DELAY 10 /* ms */ + int edg_wll_gss_connect(gss_cred_id_t cred, char const *hostname, int port, struct timeval *timeout, edg_wll_GssConnection *connection, @@ -600,6 +611,7 @@ edg_wll_gss_connect(gss_cred_id_t cred, char const *hostname, int port, gss_name_t server = GSS_C_NO_NAME; gss_ctx_id_t context = GSS_C_NO_CONTEXT; char *servername = NULL; + int retry = _EXPIRED_ALERT_RETRY_COUNT; maj_stat = min_stat = min_stat2 = req_flags = 0; memset(connection, 0, sizeof(*connection)); @@ -633,6 +645,8 @@ edg_wll_gss_connect(gss_cred_id_t cred, char const *hostname, int port, /* XXX if cred == GSS_C_NO_CREDENTIAL set the ANONYMOUS flag */ + do { /* XXX: the black magic above */ + /* XXX prepsat na do {} while (maj_stat == CONT) a osetrit chyby*/ while (!context_established) { /* XXX verify ret_flags match what was requested */ @@ -674,6 +688,27 @@ edg_wll_gss_connect(gss_cred_id_t cred, char const *hostname, int port, /* XXX check ret_flags matches to what was requested */ + /* retry on false "certificate expired" */ + if (ret == EDG_WLL_GSS_ERROR_GSS) { + edg_wll_GssStatus gss_stat; + char *msg = NULL; + + gss_stat.major_status = maj_stat; + gss_stat.minor_status = min_stat; + edg_wll_gss_get_error(&gss_stat,"",&msg); + + if (strstr(msg,_EXPIRED_ALERT_MESSAGE)) { + usleep(_EXPIRED_ALERT_RETRY_DELAY); + retry--; + } + else retry = 0; + + free(msg); + } + else retry = 0; + + } while (retry); + connection->sock = sock; connection->context = context; servername = NULL; -- 1.8.2.3