Preventing infinite loop when SSL client cert required
231 views
Skip to first unread message
szeim
Oct 26, 2010, 11:30:54 AM10/26/10
to Tornado Web Server
Hi all,
With the following code snippet I can configure the server to
require a signed cert on the client side too:
http_server = httpserver.HTTPServer(container, ssl_options={
"certfile": "server.crt",
"keyfile": "server.key",
"cert_reqs": ssl.CERT_REQUIRED,
"ca_certs" : "ca.crt"
})
http_server.bind(port=int(settings.LISTEN_PORT),
address=settings.LISTEN_ADDR)
http_server.start(1)
ioloop.IOLoop.instance().start()
But if the client doesn't send a certificate, then tornado turns into
an infinite loop.
(gentoo www-servers/tornado, version 1.1 )
---- 8< -----
SSLError: [Errno 1] _ssl.c:490: error:140890C7:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
ERROR:root:Exception in I/O handler for fd 14
Traceback (most recent call last):
File "/usr/lib64/python2.6/site-packages/tornado/ioloop.py", line
254, in start
self._handlers[fd](fd, events)
File "/usr/lib64/python2.6/site-packages/tornado/stack_context.py",
line 128, in wrapped
callback(*args, **kwargs)
File "/usr/lib64/python2.6/site-packages/tornado/iostream.py", line
150, in _handle_events
self._handle_read()
File "/usr/lib64/python2.6/site-packages/tornado/iostream.py", line
281, in _handle_read
self._do_ssl_handshake()
File "/usr/lib64/python2.6/site-packages/tornado/iostream.py", line
261, in _do_ssl_handshake
self.socket.do_handshake()
File "/usr/lib64/python2.6/ssl.py", line 279, in do_handshake
self._sslobj.do_handshake()
SSLError: [Errno 1] _ssl.c:490: error:140890C7:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
ERROR:root:Exception in I/O handler for fd 15
Traceback (most recent call last):
File "/usr/lib64/python2.6/site-packages/tornado/ioloop.py", line
254, in start
self._handlers[fd](fd, events)
File "/usr/lib64/python2.6/site-packages/tornado/stack_context.py",
line 128, in wrapped
callback(*args, **kwargs)
File "/usr/lib64/python2.6/site-packages/tornado/iostream.py", line
150, in _handle_events
self._handle_read()
File "/usr/lib64/python2.6/site-packages/tornado/iostream.py", line
281, in _handle_read
self._do_ssl_handshake()
File "/usr/lib64/python2.6/site-packages/tornado/iostream.py", line
261, in _do_ssl_handshake
self.socket.do_handshake()
File "/usr/lib64/python2.6/ssl.py", line 279, in do_handshake
self._sslobj.do_handshake()
SSLError: [Errno 1] _ssl.c:490: error:140890C7:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
---- 8< -----
If I patch the class SSLIOStream (tornado/iostream.py) to close the
connection, if
there's an ssl error then it seems ok: I can see, that there's an
error (exception raised)
but the infinite loop goes away:
---- 8< -----
@@ -385,6 +385,9 @@ class SSLIOStream(IOStream):
elif err.args[0] in (ssl.SSL_ERROR_EOF,
ssl.SSL_ERROR_ZERO_RETURN):
return self.close()
+ elif err.args[0] == ssl.SSL_ERROR_SSL:
+ self.close()
+ raise
raise
except socket.error, err:
if err.args[0] == errno.ECONNABORTED:
---- 8< -----
Any Ideas?
Cheers
Imre
With the following code snippet I can configure the server to
require a signed cert on the client side too:
http_server = httpserver.HTTPServer(container, ssl_options={
"certfile": "server.crt",
"keyfile": "server.key",
"cert_reqs": ssl.CERT_REQUIRED,
"ca_certs" : "ca.crt"
})
http_server.bind(port=int(settings.LISTEN_PORT),
address=settings.LISTEN_ADDR)
http_server.start(1)
ioloop.IOLoop.instance().start()
But if the client doesn't send a certificate, then tornado turns into
an infinite loop.
(gentoo www-servers/tornado, version 1.1 )
---- 8< -----
SSLError: [Errno 1] _ssl.c:490: error:140890C7:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
ERROR:root:Exception in I/O handler for fd 14
Traceback (most recent call last):
File "/usr/lib64/python2.6/site-packages/tornado/ioloop.py", line
254, in start
self._handlers[fd](fd, events)
File "/usr/lib64/python2.6/site-packages/tornado/stack_context.py",
line 128, in wrapped
callback(*args, **kwargs)
File "/usr/lib64/python2.6/site-packages/tornado/iostream.py", line
150, in _handle_events
self._handle_read()
File "/usr/lib64/python2.6/site-packages/tornado/iostream.py", line
281, in _handle_read
self._do_ssl_handshake()
File "/usr/lib64/python2.6/site-packages/tornado/iostream.py", line
261, in _do_ssl_handshake
self.socket.do_handshake()
File "/usr/lib64/python2.6/ssl.py", line 279, in do_handshake
self._sslobj.do_handshake()
SSLError: [Errno 1] _ssl.c:490: error:140890C7:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
ERROR:root:Exception in I/O handler for fd 15
Traceback (most recent call last):
File "/usr/lib64/python2.6/site-packages/tornado/ioloop.py", line
254, in start
self._handlers[fd](fd, events)
File "/usr/lib64/python2.6/site-packages/tornado/stack_context.py",
line 128, in wrapped
callback(*args, **kwargs)
File "/usr/lib64/python2.6/site-packages/tornado/iostream.py", line
150, in _handle_events
self._handle_read()
File "/usr/lib64/python2.6/site-packages/tornado/iostream.py", line
281, in _handle_read
self._do_ssl_handshake()
File "/usr/lib64/python2.6/site-packages/tornado/iostream.py", line
261, in _do_ssl_handshake
self.socket.do_handshake()
File "/usr/lib64/python2.6/ssl.py", line 279, in do_handshake
self._sslobj.do_handshake()
SSLError: [Errno 1] _ssl.c:490: error:140890C7:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
---- 8< -----
If I patch the class SSLIOStream (tornado/iostream.py) to close the
connection, if
there's an ssl error then it seems ok: I can see, that there's an
error (exception raised)
but the infinite loop goes away:
---- 8< -----
@@ -385,6 +385,9 @@ class SSLIOStream(IOStream):
elif err.args[0] in (ssl.SSL_ERROR_EOF,
ssl.SSL_ERROR_ZERO_RETURN):
return self.close()
+ elif err.args[0] == ssl.SSL_ERROR_SSL:
+ self.close()
+ raise
raise
except socket.error, err:
if err.args[0] == errno.ECONNABORTED:
---- 8< -----
Any Ideas?
Cheers
Imre
Melvin Carvalho
Oct 26, 2010, 1:23:22 PM10/26/10
to python-...@googlegroups.com
Can you set cert to OPTIONAL as per the Apache directive?
>
> Cheers
> Imre
>
>
Ben Darnell
Oct 26, 2010, 3:28:14 PM10/26/10
to python-...@googlegroups.com
IOStream._handle_events needs a try/except block similar to the one in
_run_callback. I'm not sure whether this would replace the one in
_run_callback or if we need one in both places.
_run_callback. I'm not sure whether this would replace the one in
_run_callback or if we need one in both places.
-Ben
Imre SZEBENYI
Oct 27, 2010, 3:02:53 AM10/27/10
to python-...@googlegroups.com
On 10/26/2010 07:23 PM, Melvin Carvalho wrote:
> On 26 October 2010 17:30, szeim <imre.s...@cern.ch> wrote:
>> Hi all,
[...]> On 26 October 2010 17:30, szeim <imre.s...@cern.ch> wrote:
>> Hi all,
>>
>> Any Ideas?
>
> Can you set cert to OPTIONAL as per the Apache directive?
>
>>
If I set it to ssl.CERT_OPTIONAL, then it works, of course.
But it doesn't suit for me, because I need ssl.CERT_REQUIRED.
(I have to validate the clients)
Cheers
Imre
Reply all
Reply to author
Forward
0 new messages