More user-friendly SSL errors, and rate limited failure #4313
This commit is contained in:
parent
9cdff4a910
commit
501dc6c886
|
@ -104,7 +104,10 @@ SecureSocket::secureRead(void* buffer, UInt32 n)
|
||||||
int r = 0;
|
int r = 0;
|
||||||
if (m_ssl->m_ssl != NULL) {
|
if (m_ssl->m_ssl != NULL) {
|
||||||
r = SSL_read(m_ssl->m_ssl, buffer, n);
|
r = SSL_read(m_ssl->m_ssl, buffer, n);
|
||||||
retry = checkResult(r);
|
|
||||||
|
bool error, retry;
|
||||||
|
checkResult(r, error, retry);
|
||||||
|
|
||||||
if (retry) {
|
if (retry) {
|
||||||
r = 0;
|
r = 0;
|
||||||
}
|
}
|
||||||
|
@ -120,7 +123,10 @@ SecureSocket::secureWrite(const void* buffer, UInt32 n)
|
||||||
int r = 0;
|
int r = 0;
|
||||||
if (m_ssl->m_ssl != NULL) {
|
if (m_ssl->m_ssl != NULL) {
|
||||||
r = SSL_write(m_ssl->m_ssl, buffer, n);
|
r = SSL_write(m_ssl->m_ssl, buffer, n);
|
||||||
retry = checkResult(r);
|
|
||||||
|
bool error, retry;
|
||||||
|
checkResult(r, error, retry);
|
||||||
|
|
||||||
if (retry) {
|
if (retry) {
|
||||||
r = 0;
|
r = 0;
|
||||||
}
|
}
|
||||||
|
@ -212,11 +218,19 @@ SecureSocket::secureAccept(int socket)
|
||||||
|
|
||||||
// set connection socket to SSL state
|
// set connection socket to SSL state
|
||||||
SSL_set_fd(m_ssl->m_ssl, socket);
|
SSL_set_fd(m_ssl->m_ssl, socket);
|
||||||
|
|
||||||
// do SSL-protocol accept
|
LOG((CLOG_INFO "accepting secure socket"));
|
||||||
LOG((CLOG_DEBUG1 "secureAccept"));
|
|
||||||
int r = SSL_accept(m_ssl->m_ssl);
|
int r = SSL_accept(m_ssl->m_ssl);
|
||||||
bool retry = checkResult(r);
|
|
||||||
|
bool error, retry;
|
||||||
|
checkResult(r, error, retry);
|
||||||
|
|
||||||
|
if (error) {
|
||||||
|
// tell user and sleep so the socket isn't hammered.
|
||||||
|
LOG((CLOG_ERR "failed to accept secure socket"));
|
||||||
|
LOG((CLOG_INFO "client connection may not be secure"));
|
||||||
|
ARCH->sleep(1);
|
||||||
|
}
|
||||||
|
|
||||||
m_secureReady = !retry;
|
m_secureReady = !retry;
|
||||||
return retry;
|
return retry;
|
||||||
|
@ -229,10 +243,19 @@ SecureSocket::secureConnect(int socket)
|
||||||
|
|
||||||
// attach the socket descriptor
|
// attach the socket descriptor
|
||||||
SSL_set_fd(m_ssl->m_ssl, socket);
|
SSL_set_fd(m_ssl->m_ssl, socket);
|
||||||
|
|
||||||
LOG((CLOG_DEBUG1 "secureConnect"));
|
LOG((CLOG_INFO "connecting secure socket"));
|
||||||
int r = SSL_connect(m_ssl->m_ssl);
|
int r = SSL_connect(m_ssl->m_ssl);
|
||||||
bool retry = checkResult(r);
|
|
||||||
|
bool error, retry;
|
||||||
|
checkResult(r, error, retry);
|
||||||
|
|
||||||
|
if (error) {
|
||||||
|
// tell user and sleep so the socket isn't hammered.
|
||||||
|
LOG((CLOG_ERR "failed to connect secure socket"));
|
||||||
|
LOG((CLOG_INFO "server connection may not be secure"));
|
||||||
|
ARCH->sleep(1);
|
||||||
|
}
|
||||||
|
|
||||||
m_secureReady = !retry;
|
m_secureReady = !retry;
|
||||||
|
|
||||||
|
@ -262,20 +285,23 @@ SecureSocket::showCertificate()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
bool
|
void
|
||||||
SecureSocket::checkResult(int n)
|
SecureSocket::checkResult(int n, bool& error, bool& retry)
|
||||||
{
|
{
|
||||||
bool retry = false;
|
retry = false;
|
||||||
|
error = true;
|
||||||
|
|
||||||
int errorCode = SSL_get_error(m_ssl->m_ssl, n);
|
int errorCode = SSL_get_error(m_ssl->m_ssl, n);
|
||||||
|
|
||||||
switch (errorCode) {
|
switch (errorCode) {
|
||||||
case SSL_ERROR_NONE:
|
case SSL_ERROR_NONE:
|
||||||
// operation completed
|
// operation completed
|
||||||
|
error = false;
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case SSL_ERROR_ZERO_RETURN:
|
case SSL_ERROR_ZERO_RETURN:
|
||||||
// connection has been closed
|
// connection has been closed
|
||||||
LOG((CLOG_DEBUG2 "secure socket error: SSL_ERROR_ZERO_RETURN"));
|
LOG((CLOG_DEBUG2 "secure socket error: SSL_ERROR_ZERO_RETURN"));
|
||||||
|
error = false;
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case SSL_ERROR_WANT_READ:
|
case SSL_ERROR_WANT_READ:
|
||||||
|
@ -299,27 +325,35 @@ SecureSocket::checkResult(int n)
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case SSL_ERROR_SYSCALL:
|
case SSL_ERROR_SYSCALL:
|
||||||
case SSL_ERROR_SSL:
|
LOG((CLOG_ERR "secure socket error: SSL_ERROR_SYSCALL"));
|
||||||
LOG((CLOG_DEBUG2 "secure socket error: SSL_ERROR_SSL"));
|
sendEvent(getEvents()->forISocket().disconnected());
|
||||||
|
sendEvent(getEvents()->forIStream().inputShutdown());
|
||||||
|
showError();
|
||||||
|
break;
|
||||||
|
|
||||||
|
case SSL_ERROR_SSL:
|
||||||
|
LOG((CLOG_ERR "secure socket error: SSL_ERROR_SSL"));
|
||||||
sendEvent(getEvents()->forISocket().disconnected());
|
sendEvent(getEvents()->forISocket().disconnected());
|
||||||
sendEvent(getEvents()->forIStream().inputShutdown());
|
sendEvent(getEvents()->forIStream().inputShutdown());
|
||||||
showError();
|
showError();
|
||||||
retry = true;
|
|
||||||
break;
|
break;
|
||||||
|
|
||||||
default:
|
default:
|
||||||
// possible cases:
|
LOG((CLOG_ERR "secure socket error: SSL_ERROR_SSL"));
|
||||||
// SSL_ERROR_WANT_X509_LOOKUP
|
sendEvent(getEvents()->forISocket().disconnected());
|
||||||
|
sendEvent(getEvents()->forIStream().inputShutdown());
|
||||||
showError();
|
showError();
|
||||||
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
return retry;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
void
|
void
|
||||||
SecureSocket::showError()
|
SecureSocket::showError()
|
||||||
{
|
{
|
||||||
LOG((CLOG_ERR "secure socket error: %s", getError().c_str()));
|
String error = getError();
|
||||||
|
if (!error.empty()) {
|
||||||
|
LOG((CLOG_ERR "secure socket error: %s", error.c_str()));
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
void
|
void
|
||||||
|
|
|
@ -58,7 +58,7 @@ private:
|
||||||
bool secureAccept(int s);
|
bool secureAccept(int s);
|
||||||
bool secureConnect(int s);
|
bool secureConnect(int s);
|
||||||
void showCertificate();
|
void showCertificate();
|
||||||
bool checkResult(int n);
|
void checkResult(int n, bool& error, bool& retry);
|
||||||
void showError();
|
void showError();
|
||||||
void throwError(const char* reason);
|
void throwError(const char* reason);
|
||||||
String getError();
|
String getError();
|
||||||
|
|
Loading…
Reference in New Issue