Transport endpoint is not connected error occurs after port scan

241 views
Skip to first unread message

James Penick

unread,
Sep 15, 2015, 5:18:09 PM9/15/15
to Tornado Web Server
Hi Everyone,

I'm investigating an issue that is showing up on our production servers a few times each day. The error in question looks like this:

Traceback (most recent call last):
  File "/home/me/git/rome/packages_venv/lib/python2.7/site-packages/tornado/iostream.py", line 508, in _handle_events
    self._handle_read()
  File "/home/me/git/rome/packages_venv/lib/python2.7/site-packages/tornado/iostream.py", line 1322, in _handle_read
    self._do_ssl_handshake()
  File "/home/me/git/rome/packages_venv/lib/python2.7/site-packages/tornado/iostream.py", line 1243, in _do_ssl_handshake
    self.socket.do_handshake()
  File "/usr/local/lib/python2.7.9/lib/python2.7/ssl.py", line 783, in do_handshake
    self._check_connected()
  File "/usr/local/lib/python2.7.9/lib/python2.7/ssl.py", line 595, in _check_connected
    self.getpeername()
  File "/usr/local/lib/python2.7.9/lib/python2.7/socket.py", line 224, in meth
    return getattr(self._sock,name)(*args)
error: [Errno 107] Transport endpoint is not connected

After reading through the code, I noticed the following comment in iostream.py:

# Some port scans (e.g. nmap in -sT mode) have been known
# to cause do_handshake to raise EBADF, so make that error
# quiet as well.
# https://groups.google.com/forum/?fromgroups#!topic/python-tornado/ApucKJat1_0

I went ahead and tried running nmap in -sT mode and, sure enough, I get the same error that is showing up on our production servers. Would it make sense to expand the logic in iostream in this exception handler to also include the case where err.args[0] == errno.ENOTCONN?

For what it's worth, I'm running on Ubuntu 14.04 with python 2.7.9. I've reproduced this with tornado 4.1 and 4.2.1.

James

James Penick

unread,
Sep 18, 2015, 5:17:17 PM9/18/15
to Tornado Web Server
One more data point is that this does not appear to be an issue on python 2.7.8. It looks like the implementation of the do_handshake() routine changed between 2.7.8 and 2.7.9.

James

Ben Darnell

unread,
Sep 19, 2015, 12:48:10 AM9/19/15
to Tornado Mailing List
On Fri, Sep 18, 2015 at 5:17 PM, James Penick <james.c...@gmail.com> wrote:
One more data point is that this does not appear to be an issue on python 2.7.8. It looks like the implementation of the do_handshake() routine changed between 2.7.8 and 2.7.9.

That is indeed a useful data point: the ssl module was completely overhauled in 2.7.9. It looks like what used to raise EBADF now raises ENOTCONN, so we should handle both the same way in iostream.py. 

-Ben
 

James

--
You received this message because you are subscribed to the Google Groups "Tornado Web Server" group.
To unsubscribe from this group and stop receiving emails from it, send an email to python-tornad...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Phyo Arkar

unread,
Sep 19, 2015, 4:25:03 AM9/19/15
to Tornado Mailing List
Nice finding James!
Reply all
Reply to author
Forward
0 new messages