More user-friendly SSL errors, and rate limited failure #4313

This commit is contained in:
Nick Bolton 2015-03-04 13:42:19 +00:00
parent 9cdff4a910
commit 501dc6c886
2 changed files with 56 additions and 22 deletions

View File

@ -104,7 +104,10 @@ SecureSocket::secureRead(void* buffer, UInt32 n)
int r = 0; int r = 0;
if (m_ssl->m_ssl != NULL) { if (m_ssl->m_ssl != NULL) {
r = SSL_read(m_ssl->m_ssl, buffer, n); r = SSL_read(m_ssl->m_ssl, buffer, n);
retry = checkResult(r);
bool error, retry;
checkResult(r, error, retry);
if (retry) { if (retry) {
r = 0; r = 0;
} }
@ -120,7 +123,10 @@ SecureSocket::secureWrite(const void* buffer, UInt32 n)
int r = 0; int r = 0;
if (m_ssl->m_ssl != NULL) { if (m_ssl->m_ssl != NULL) {
r = SSL_write(m_ssl->m_ssl, buffer, n); r = SSL_write(m_ssl->m_ssl, buffer, n);
retry = checkResult(r);
bool error, retry;
checkResult(r, error, retry);
if (retry) { if (retry) {
r = 0; r = 0;
} }
@ -212,11 +218,19 @@ SecureSocket::secureAccept(int socket)
// set connection socket to SSL state // set connection socket to SSL state
SSL_set_fd(m_ssl->m_ssl, socket); SSL_set_fd(m_ssl->m_ssl, socket);
// do SSL-protocol accept LOG((CLOG_INFO "accepting secure socket"));
LOG((CLOG_DEBUG1 "secureAccept"));
int r = SSL_accept(m_ssl->m_ssl); int r = SSL_accept(m_ssl->m_ssl);
bool retry = checkResult(r);
bool error, retry;
checkResult(r, error, retry);
if (error) {
// tell user and sleep so the socket isn't hammered.
LOG((CLOG_ERR "failed to accept secure socket"));
LOG((CLOG_INFO "client connection may not be secure"));
ARCH->sleep(1);
}
m_secureReady = !retry; m_secureReady = !retry;
return retry; return retry;
@ -229,10 +243,19 @@ SecureSocket::secureConnect(int socket)
// attach the socket descriptor // attach the socket descriptor
SSL_set_fd(m_ssl->m_ssl, socket); SSL_set_fd(m_ssl->m_ssl, socket);
LOG((CLOG_DEBUG1 "secureConnect")); LOG((CLOG_INFO "connecting secure socket"));
int r = SSL_connect(m_ssl->m_ssl); int r = SSL_connect(m_ssl->m_ssl);
bool retry = checkResult(r);
bool error, retry;
checkResult(r, error, retry);
if (error) {
// tell user and sleep so the socket isn't hammered.
LOG((CLOG_ERR "failed to connect secure socket"));
LOG((CLOG_INFO "server connection may not be secure"));
ARCH->sleep(1);
}
m_secureReady = !retry; m_secureReady = !retry;
@ -262,20 +285,23 @@ SecureSocket::showCertificate()
} }
} }
bool void
SecureSocket::checkResult(int n) SecureSocket::checkResult(int n, bool& error, bool& retry)
{ {
bool retry = false; retry = false;
error = true;
int errorCode = SSL_get_error(m_ssl->m_ssl, n); int errorCode = SSL_get_error(m_ssl->m_ssl, n);
switch (errorCode) { switch (errorCode) {
case SSL_ERROR_NONE: case SSL_ERROR_NONE:
// operation completed // operation completed
error = false;
break; break;
case SSL_ERROR_ZERO_RETURN: case SSL_ERROR_ZERO_RETURN:
// connection has been closed // connection has been closed
LOG((CLOG_DEBUG2 "secure socket error: SSL_ERROR_ZERO_RETURN")); LOG((CLOG_DEBUG2 "secure socket error: SSL_ERROR_ZERO_RETURN"));
error = false;
break; break;
case SSL_ERROR_WANT_READ: case SSL_ERROR_WANT_READ:
@ -299,27 +325,35 @@ SecureSocket::checkResult(int n)
break; break;
case SSL_ERROR_SYSCALL: case SSL_ERROR_SYSCALL:
case SSL_ERROR_SSL: LOG((CLOG_ERR "secure socket error: SSL_ERROR_SYSCALL"));
LOG((CLOG_DEBUG2 "secure socket error: SSL_ERROR_SSL")); sendEvent(getEvents()->forISocket().disconnected());
sendEvent(getEvents()->forIStream().inputShutdown());
showError();
break;
case SSL_ERROR_SSL:
LOG((CLOG_ERR "secure socket error: SSL_ERROR_SSL"));
sendEvent(getEvents()->forISocket().disconnected()); sendEvent(getEvents()->forISocket().disconnected());
sendEvent(getEvents()->forIStream().inputShutdown()); sendEvent(getEvents()->forIStream().inputShutdown());
showError(); showError();
retry = true;
break; break;
default: default:
// possible cases: LOG((CLOG_ERR "secure socket error: SSL_ERROR_SSL"));
// SSL_ERROR_WANT_X509_LOOKUP sendEvent(getEvents()->forISocket().disconnected());
sendEvent(getEvents()->forIStream().inputShutdown());
showError(); showError();
break;
} }
return retry;
} }
void void
SecureSocket::showError() SecureSocket::showError()
{ {
LOG((CLOG_ERR "secure socket error: %s", getError().c_str())); String error = getError();
if (!error.empty()) {
LOG((CLOG_ERR "secure socket error: %s", error.c_str()));
}
} }
void void

View File

@ -58,7 +58,7 @@ private:
bool secureAccept(int s); bool secureAccept(int s);
bool secureConnect(int s); bool secureConnect(int s);
void showCertificate(); void showCertificate();
bool checkResult(int n); void checkResult(int n, bool& error, bool& retry);
void showError(); void showError();
void throwError(const char* reason); void throwError(const char* reason);
String getError(); String getError();