def renewServerContext(self):
# pylint: disable=line-too-long
""" Renews the server context.
This reloads the certificates and re-initialises the SSL context.
NOTE: Chris 15.05.20
I noticed python segfault on a regular time interval. The stack trace always looks like that::
#0 0x00007fdb5bbe2388 in ?? () from /opt/dirac/pro/diracos/usr/lib64/python2.7/lib-dynload/../../libcrypto.so.10
#1 0x00007fdb5bbd8742 in X509_STORE_load_locations () from /opt/dirac/pro/diracos/usr/lib64/python2.7/lib-dynload/../../libcrypto.so.10
#2 0x00007fdb57edcc9d in _wrap_ssl_ctx_load_verify_locations (self=<optimized out>, args=<optimized out>) at SWIG/_m2crypto_wrap.c:20602
#3 0x00007fdb644ec484 in PyEval_EvalFrameEx () from /opt/dirac/versions/v10r0_1587978031/diracos/usr/bin/../lib64/libpython2.7.so.1.0
I could not find anything fundamentaly wrong, and the context renewal is the only place I could think of.
GSI based SSLTransport did the following: renew the context, and renew the Connection object using the same raw socket
This still seems very fishy to me though, especially that the ServiceReactor still has the old object in self.__listeningConnections[svcName]['socket']]
Here, we were are refreshing the CA store. What was missing was the call to the parent class, thus entering some sort of infinite loop.
The parent's call seems to have fixed it.
""" # noqa # pylint: disable=line-too-long
if not self.serverMode():
raise RuntimeError("SSLTransport is in client mode.")
super(SSLTransport, self).renewServerContext()
self.__ctx = getM2SSLContext(self.__ctx, **self.__kwargs)
return S_OK()
def renewServerContext(self):
""" Renews the server context.
This reloads the certificates and re-initialises the SSL context.
"""
if not self.serverMode():
raise RuntimeError("SSLTransport is in client mode.")
self.__ctx = getM2SSLContext(self.__ctx, **self.__kwargs)
return S_OK()
def __init__(self, *args, **kwargs):
""" Create an SSLTransport object, parameters are the same
as for other transports. If ctx is specified (as an instance of
SSL.Context) then use that rather than creating a new context.
kwargs can contain all the parameters defined in BaseClient,
in particular timeout
"""
# The thread init of M2Crypto is not really thread safe.
# So we put it a second time
M2Threading.init()
self.remoteAddress = None
self.peerCredentials = {}
# The timeout used here is different from what it was in pyGSI.
# It is to be understood here as the timeout for socket operations
# involved in the RPC call, but NOT the establishment of the connection,
# for which there is a different timeout.
#
# The timeout management of pyGSI was a bit off.
# This is proven by that type of trace (look at the timestamp):
#
# 2020-07-16 09:48:55 UTC dirac-proxy-init [140013698656064] DEBUG: Connection timeout set to: 1
# 2020-07-16 09:58:55 UTC dirac-proxy-init [140013698656064] WARN: Issue getting socket:
#
self.__timeout = kwargs.get(SSLTransport.KW_TIMEOUT,
DEFAULT_RPC_TIMEOUT)
self.__locked = False # We don't support locking, so this is always false.
# If not specified in the arguments (never is in DIRAC code...)
# and we are setting up a server listing connection, set the accepted
# ssl methods and ciphers
if kwargs.get('bServerMode'):
if 'sslMethods' not in kwargs:
kwargs['sslMethods'] = os.environ.get(
'DIRAC_M2CRYPTO_SSL_METHODS')
if 'sslCiphers' not in kwargs:
kwargs['sslCiphers'] = os.environ.get(
'DIRAC_M2CRYPTO_SSL_CIPHERS')
self.__ctx = kwargs.pop('ctx', None)
if not self.__ctx:
self.__ctx = getM2SSLContext(**kwargs)
# Note that kwargs is already kept in BaseTransport
# as self.extraArgsDict, but at least I am sure that
# self.__kwargs will never be modified
self.__kwargs = kwargs
BaseTransport.__init__(self, *args, **kwargs)
def __init__(self, *args, **kwargs):
""" Create an SSLTransport object, parameters are the same
as for other transports. If ctx is specified (as an instance of
SSL.Context) then use that rather than creating a new context.
"""
self.remoteAddress = None
self.peerCredentials = {}
self.__timeout = 1
self.__locked = False # We don't support locking, so this is always false.
self.__ctx = kwargs.pop('ctx', None)
if not self.__ctx:
self.__ctx = getM2SSLContext(**kwargs)
self.__kwargs = kwargs
BaseTransport.__init__(self, *args, **kwargs)
