M2SSLTransport
M2Crypto SSLTransport Library
- class DIRAC.Core.DISET.private.Transports.M2SSLTransport.SSLTransport(*args, **kwargs)
Bases:
BaseTransport
SSL Transport implementation using the M2Crypto library.
- KW_TIMEOUT = 'timeout'
- __init__(*args, **kwargs)
Create an SSLTransport object, parameters are the same as for other transports. If ctx is specified (as an instance of SSL.Context) then use that rather than creating a new context.
kwargs can contain all the parameters defined in BaseClient, in particular timeout
- acceptConnection()
Accept a new client, returns a new SSLTransport object representing the client connection.
The connection is accepted, but no SSL handshake is performed
- Returns:
S_OK(SSLTransport object)
- acceptConnection_multipleSteps()
Accept a new client, returns a new SSLTransport object representing the client connection.
The connection is accepted, but no SSL handshake is performed
- Returns:
S_OK(SSLTransport object)
- acceptConnection_singleStep()
Accept a new client, returns a new SSLTransport object representing the client connection.
The SSL handshake is performed here.
- Returns:
S_OK(SSLTransport object)
- bAllowReuseAddress = True
- close()
Close this socket.
- getAppData()
- getConnectingCredentials()
- Returns:
dictionary with credentials
Return empty dictionary for plainTransport.
In SSLTransport it contains (after the handshake):
’DN’ : All identity name, e.g.
`/C=ch/O=DIRAC/OU=DIRAC CI/CN=ciuser`
’CN’ : Only the user name e.g. ciuser
’x509Chain’ : List of all certificates in the chain
’isProxy’ : True if the client use proxy certificate
’isLimitedProxy’ : True if the client use limited proxy certificate
’group’ (optional): Dirac group attached to the client
’extraCredentials’ (optional): Extra credentials if exists
Before the handshake, dictionary is empty
- getFormattedCredentials()
- getKeepAliveLapse()
- getLastActionTimestamp()
- getLocalAddress()
- getRemoteAddress()
- getSocket()
- handshake()
Perform SSL handshakes. This has to be called after the connection was accepted (acceptConnection_multipleSteps)
The remote credentials are gathered here
- handshake_multipleSteps()
Perform SSL handshakes. This has to be called after the connection was accepted (acceptConnection_multipleSteps)
The remote credentials are gathered here
- handshake_singleStep()
Used to perform SSL handshakes. These are now done automatically.
- iListenQueueSize = 128
- iReadTimeout = 600
- initAsClient()
Prepare this client socket for use.
- initAsServer()
Prepare this server socket for use.
- isLocked()
Returns if this instance is locked. Always returns false.
- Returns:
False
- keepAliveMagic = b'dka'
- latestServerRenewTime()
- receiveData(maxBufferSize=0, blockAfterKeepAlive=True, idleReceive=False)
- renewServerContext()
Renews the server context. This reloads the certificates and re-initialises the SSL context.
NOTE: Chris 15.05.20 I noticed python segfault on a regular time interval. The stack trace always looks like that:
#0 0x00007fdb5bbe2388 in ?? () from /opt/dirac/pro/diracos/usr/lib64/python2.7/lib-dynload/../../libcrypto.so.10 #1 0x00007fdb5bbd8742 in X509_STORE_load_locations () from /opt/dirac/pro/diracos/usr/lib64/python2.7/lib-dynload/../../libcrypto.so.10 #2 0x00007fdb57edcc9d in _wrap_ssl_ctx_load_verify_locations (self=<optimized out>, args=<optimized out>) at SWIG/_m2crypto_wrap.c:20602 #3 0x00007fdb644ec484 in PyEval_EvalFrameEx () from /opt/dirac/versions/v10r0_1587978031/diracos/usr/bin/../lib64/libpython2.7.so.1.0
I could not find anything fundamentaly wrong, and the context renewal is the only place I could think of.
GSI based SSLTransport did the following: renew the context, and renew the Connection object using the same raw socket This still seems very fishy to me though, especially that the ServiceReactor still has the old object in self.__listeningConnections[svcName][‘socket’]]
Here, we were are refreshing the CA store. What was missing was the call to the parent class, thus entering some sort of infinite loop. The parent’s call seems to have fixed it.
- sendData(uData, prefix=b'')
- sendKeepAlive(responseId=None, now=False)
- serverMode()
- setAppData(appData)
- setClientSocket(oSocket)
Set the inner socket (i.e. SSL.Connection object) of this instance to the value of oSocket. This method is intended to be used to create client connection objects from a server and should be considered to be an internal function.
- Parameters:
oSocket – client socket SSL.Connection object
- setClientSocket_multipleSteps(oSocket)
Set the inner socket (i.e. SSL.Connection object) of this instance to the value of oSocket. This method is intended to be used to create client connection objects from a server and should be considered to be an internal function.
- Parameters:
oSocket – client socket SSL.Connection object
- setClientSocket_singleStep(oSocket)
Set the inner socket (i.e. SSL.Connection object) of this instance to the value of oSocket. We also gather the remote peer credentials This method is intended to be used to create client connection objects from a server and should be considered to be an internal function.
- Parameters:
oSocket – client socket SSL.Connection object
- setExtraCredentials(extraCredentials)
Add extra credentials to peerCredentials
- setSocketTimeout(timeout)
Set the timeout for RPC calls.
- Parameters:
timeout – timeout for socket operation in seconds