M2SSLTransport

M2Crypto SSLTransport Library

class DIRAC.Core.DISET.private.Transports.M2SSLTransport.SSLTransport(*args, **kwargs)

Bases: BaseTransport

SSL Transport implementation using the M2Crypto library.

KW_TIMEOUT = 'timeout'
__init__(*args, **kwargs)

Create an SSLTransport object, parameters are the same as for other transports. If ctx is specified (as an instance of SSL.Context) then use that rather than creating a new context.

kwargs can contain all the parameters defined in BaseClient, in particular timeout

acceptConnection()

Accept a new client, returns a new SSLTransport object representing the client connection.

The connection is accepted, but no SSL handshake is performed

Returns:

S_OK(SSLTransport object)

acceptConnection_multipleSteps()

Accept a new client, returns a new SSLTransport object representing the client connection.

The connection is accepted, but no SSL handshake is performed

Returns:

S_OK(SSLTransport object)

acceptConnection_singleStep()

Accept a new client, returns a new SSLTransport object representing the client connection.

The SSL handshake is performed here.

Returns:

S_OK(SSLTransport object)

bAllowReuseAddress = True
close()

Close this socket.

getAppData()
getConnectingCredentials()
Returns:

dictionary with credentials

Return empty dictionary for plainTransport.

In SSLTransport it contains (after the handshake):

  • ’DN’ : All identity name, e.g. `/C=ch/O=DIRAC/OU=DIRAC CI/CN=ciuser`

  • ’CN’ : Only the user name e.g. ciuser

  • ’x509Chain’ : List of all certificates in the chain

  • ’isProxy’ : True if the client use proxy certificate

  • ’isLimitedProxy’ : True if the client use limited proxy certificate

  • ’group’ (optional): Dirac group attached to the client

  • ’extraCredentials’ (optional): Extra credentials if exists

Before the handshake, dictionary is empty

getFormattedCredentials()
getKeepAliveLapse()
getLastActionTimestamp()
getLocalAddress()
getRemoteAddress()
getSocket()
handshake()

Perform SSL handshakes. This has to be called after the connection was accepted (acceptConnection_multipleSteps)

The remote credentials are gathered here

handshake_multipleSteps()

Perform SSL handshakes. This has to be called after the connection was accepted (acceptConnection_multipleSteps)

The remote credentials are gathered here

handshake_singleStep()

Used to perform SSL handshakes. These are now done automatically.

iListenQueueSize = 128
iReadTimeout = 600
initAsClient()

Prepare this client socket for use.

initAsServer()

Prepare this server socket for use.

isLocked()

Returns if this instance is locked. Always returns false.

Returns:

False

keepAliveMagic = b'dka'
latestServerRenewTime()
receiveData(maxBufferSize=0, blockAfterKeepAlive=True, idleReceive=False)
renewServerContext()

Renews the server context. This reloads the certificates and re-initialises the SSL context.

NOTE: Chris 15.05.20 I noticed python segfault on a regular time interval. The stack trace always looks like that:

#0  0x00007fdb5bbe2388 in ?? () from /opt/dirac/pro/diracos/usr/lib64/python2.7/lib-dynload/../../libcrypto.so.10
#1  0x00007fdb5bbd8742 in X509_STORE_load_locations () from /opt/dirac/pro/diracos/usr/lib64/python2.7/lib-dynload/../../libcrypto.so.10
#2  0x00007fdb57edcc9d in _wrap_ssl_ctx_load_verify_locations (self=<optimized out>, args=<optimized out>) at SWIG/_m2crypto_wrap.c:20602
#3  0x00007fdb644ec484 in PyEval_EvalFrameEx () from /opt/dirac/versions/v10r0_1587978031/diracos/usr/bin/../lib64/libpython2.7.so.1.0

I could not find anything fundamentaly wrong, and the context renewal is the only place I could think of.

GSI based SSLTransport did the following: renew the context, and renew the Connection object using the same raw socket This still seems very fishy to me though, especially that the ServiceReactor still has the old object in self.__listeningConnections[svcName][‘socket’]]

Here, we were are refreshing the CA store. What was missing was the call to the parent class, thus entering some sort of infinite loop. The parent’s call seems to have fixed it.

sendData(uData, prefix=b'')
sendKeepAlive(responseId=None, now=False)
serverMode()
setAppData(appData)
setClientSocket(oSocket)

Set the inner socket (i.e. SSL.Connection object) of this instance to the value of oSocket. This method is intended to be used to create client connection objects from a server and should be considered to be an internal function.

Parameters:

oSocket – client socket SSL.Connection object

setClientSocket_multipleSteps(oSocket)

Set the inner socket (i.e. SSL.Connection object) of this instance to the value of oSocket. This method is intended to be used to create client connection objects from a server and should be considered to be an internal function.

Parameters:

oSocket – client socket SSL.Connection object

setClientSocket_singleStep(oSocket)

Set the inner socket (i.e. SSL.Connection object) of this instance to the value of oSocket. We also gather the remote peer credentials This method is intended to be used to create client connection objects from a server and should be considered to be an internal function.

Parameters:

oSocket – client socket SSL.Connection object

setExtraCredentials(extraCredentials)

Add extra credentials to peerCredentials

Parameters:

extraCredentials (str or tuple) – group or tuple with DN and group

setSocketTimeout(timeout)

Set the timeout for RPC calls.

Parameters:

timeout – timeout for socket operation in seconds