[ovs-dev] [PATCH] Don't raise an Exception on failure to connect via SSL
Ilya Maximets
i.maximets at ovn.org
Tue Sep 15 19:02:17 UTC 2020
On 9/15/20 7:17 PM, Terry Wilson wrote:
> With other socket types, trying to connect and failing will return
> an error code, but if an SSL Stream is used, then when
> check_connection_completion(sock) is called, SSL will raise an
> exception that doesn't derive from socket.error which is handled.
>
> This adds handling for SSL.error, which get_exception_errno
> will simply return errno.EPROTO for.
>
> Signed-off-by: Terry Wilson <twilson at redhat.com>
> ---
Hi, Terry. Thanks for working on this!
Some comments inline.
Best regards, Ilya Maximets.
> python/ovs/socket_util.py | 9 +++++++--
> 1 file changed, 7 insertions(+), 2 deletions(-)
>
> diff --git a/python/ovs/socket_util.py b/python/ovs/socket_util.py
> index 3faa64e9d..ffcdd28cb 100644
> --- a/python/ovs/socket_util.py
> +++ b/python/ovs/socket_util.py
> @@ -19,6 +19,11 @@ import random
> import socket
> import sys
>
> +try:
> + from OpenSSL import SSL
> +except ImportError:
> + SSL = None
> +
> import ovs.fatal_signal
> import ovs.poller
> import ovs.vlog
> @@ -184,7 +189,7 @@ def check_connection_completion(sock):
> # XXX rate-limit
> vlog.err("poll return POLLERR but send succeeded")
> return errno.EPROTO
> - except socket.error as e:
> + except (socket.error, SSL.Error) if SSL else socket.error as e:
This doesn't look right because this breaks the stream abstraction.
I think, SSL.Error should not go outside of SSLStream class in the first place.
Looking at methods of SSLStream class, I see that it catches only few of SSL
errors and translates them to errno, but it must catch all possible SSL errors.
See interpret_ssl_error() of the C implementation in lib/stream-ssl.c.
I think, we need to implement similar handling in python code to unify behavior.
What do you think?
> return get_exception_errno(e)
> else:
> return 0
> @@ -259,7 +264,7 @@ def get_exception_errno(e):
> exception is documented as having two completely different forms of
> arguments: either a string or a (errno, string) tuple. We only want the
> errno."""
> - if isinstance(e.args, tuple):
> + if isinstance(e, socket.error) and isinstance(e.args, tuple):
> return e.args[0]
> else:
> return errno.EPROTO
>
More information about the dev
mailing list