Re: [ovs-dev] [PATCH] Shutdown SSL connection before closing socket
Sorry about that. The dangers of multiple windows and multiple ovs
directories. "Why is this passing for me?!" Oh... The new patch just
ignores all SSL errors like lib/stream-ssl.c's ssl_close() instead of just
the want read/write.
On Wed, Jul 10, 2019 at 2:59 PM Ben Pfaff wrote:
> On Wed, Jul 10, 2019 at 11:07:16AM -0500, Terry Wilson wrote:
> > Without shutting down the SSL connection, log messages like:
> >
> > stream_ssl|WARN|SSL_read: unexpected SSL connection close
> > jsonrpc|WARN|ssl:127.0.0.1:47052: receive error: Protocol error
> > reconnect|WARN|ssl:127.0.0.1:47052: connection dropped (Protocol error)
> >
> > would occur whenever the socket is closed. This just adds an
> > SSLStream.close() that calls shutdown() and ignores read/write
> > errors.
> >
> > Signed-off-by: Terry Wilson
>
> Thanks for the patch.
>
> With this applied, I get two test failures, details below.
>
> ## ##
> ## Summary of the failures. ##
> ## ##
> Failed tests:
> openvswitch 2.11.90 test suite test groups:
>
> NUM: FILE-NAME:LINE TEST-GROUP-NAME
> KEYWORDS
>
> 2108: ovsdb-idl.at:351 simple idl, initially empty, various ops -
> Python2 - SSL
> ovsdb server idl positive python with ssl socket
> 2439: ovsdb-idl.at:1452 simple idl verify notify - Python2 - SSL
> ovsdb server idl positive python with ssl socket notify
>
> ## -- ##
> ## Detailed failed tests. ##
> ## -- ##
>
> # -*- compilation -*-
> 2108. ovsdb-idl.at:351: testing simple idl, initially empty, various ops
> - Python2 - SSL ...
> ../../tests/ovsdb-idl.at:351: ovsdb-tool create db
> $abs_srcdir/idltest.ovsschema
> stderr:
> stdout:
> ../../tests/ovsdb-idl.at:351: ovsdb-server -vconsole:warn --log-file
> --detach --no-chdir \
> --pidfile \
> --private-key=$PKIDIR/testpki-privkey2.pem \
> --certificate=$PKIDIR/testpki-cert2.pem \
> --ca-cert=$PKIDIR/testpki-cacert.pem \
> --remote=pssl:0:127.0.0.1 db
> ovsdb-idl.at:351: waiting until TCP_PORT=`sed -n 's/.*0:.*: listening on
> port \([0-9]*\)$/\1/p' "ovsdb-server.log"` && test X != X"$TCP_PORT"...
> ovsdb-idl.at:351: wait succeeded immediately
> ../../tests/ovsdb-idl.at:351: $PYTHON $srcdir/test-ovsdb.py -t10 idl
> $srcdir/idltest.ovsschema \
> ssl:127.0.0.1:$TCP_PORT $PKIDIR/testpki-privkey.pem \
> $PKIDIR/testpki-cert.pem $PKIDIR/testpki-cacert.pem
> '["idltest",
> {"op": "insert",
>"table": "simple",
>"row": {"i": 1,
>"r": 2.0,
>"b": true,
>"s": "mystring",
>"u": ["uuid", "84f5c8f5-ac76-4dbc-a24f-8860eb407fc1"],
>"ia": ["set", [1, 2, 3]],
>"ra": ["set", [-0.5]],
>"ba": ["set", [true]],
>"sa": ["set", ["abc", "def"]],
>"ua": ["set", [["uuid",
> "69443985-7806-45e2-b35f-574a04e720f9"],
> ["uuid",
> "aad11ef0-816a-4b01-93e6-03b8b4256b98"]]]}},
> {"op": "insert",
>"table": "simple",
>"row": {}}]' \
> '["idltest",
> {"op": "update",
>"table": "simple",
>"where": [],
>"row": {"b": true}}]' \
> '["idltest",
> {"op": "update",
>"table": "simple",
>"where": [],
>"row": {"r": 123.5}}]' \
> '["idltest",
> {"op": "insert",
>"table": "simple",
>"row": {"i": -1,
>"r": 125,
>"b": false,
>"s": "",
>"ia": ["set", [1]],
>"ra": ["set", [1.5]],
>"ba": ["set", [false]],
>"sa": ["set", []],
>"ua": ["set", []]}}]' \
> '["idltest",
> {"op": "update",
>"table": "simple",
>"where": [["i", "<", 1]],
>"row": {"s": "newstring"}}]' \
> '["idltest",
> {"op": "delete",
>"table": "simple",
>"where": [["i", "==", 0]]}]' \
> 'reconnect'
> stderr:
> 2019-07-10T19:57:50Z | 0 | reconnect | DBG | ssl:127.0.0.1:38627:
> entering BACKOFF
> 2019-07-10T19:57:50Z | 1 | poller | DBG | [POLLOUT] on fd 3
> 2019-07-10T19:57:50Z | 2 | poller | DBG | [POLLOUT] on fd 3
> 2019-07-10T19:57:50Z | 3 | poller | DBG | [POLLOUT] on fd 3
> 2019-07-10T19:57:50Z | 4 | poller | DBG | [POLLOUT] on fd 3
> 2019-07-10T19:57:50Z | 5 | poller | DBG | [POLLOUT] on fd 3
> 2019-07-10T19:57:50Z | 6 | poller | DBG | [POLLOUT] on fd 3
> 2019-07-10T19:57:50Z | 7 | poller | DBG | [POLLOUT] on fd 3
> 2019-07-10T19:57:50Z | 8 | poller | DBG | [POLLOUT] on fd 3
> 2019-07-10T19:57:50Z | 9 | poller | DBG | [POLLOUT] on fd 3
> 2019-07-10T19:57:50Z | 10 | poller | DBG | [POLLOUT] on fd 3
> 2019-07-10T19:57:50Z | 11 | poller | DBG | [POLLOUT] on fd 3
> 2019-07-10T19:57:50Z | 12 | poller | DBG | [POLLOUT] on fd 3
> 2019-07-10T19:57:50Z | 13
Re: [ovs-dev] [PATCH] Shutdown SSL connection before closing socket
On Wed, Jul 10, 2019 at 11:07:16AM -0500, Terry Wilson wrote:
> Without shutting down the SSL connection, log messages like:
>
> stream_ssl|WARN|SSL_read: unexpected SSL connection close
> jsonrpc|WARN|ssl:127.0.0.1:47052: receive error: Protocol error
> reconnect|WARN|ssl:127.0.0.1:47052: connection dropped (Protocol error)
>
> would occur whenever the socket is closed. This just adds an
> SSLStream.close() that calls shutdown() and ignores read/write
> errors.
>
> Signed-off-by: Terry Wilson
Thanks for the patch.
With this applied, I get two test failures, details below.
## ##
## Summary of the failures. ##
## ##
Failed tests:
openvswitch 2.11.90 test suite test groups:
NUM: FILE-NAME:LINE TEST-GROUP-NAME
KEYWORDS
2108: ovsdb-idl.at:351 simple idl, initially empty, various ops - Python2 -
SSL
ovsdb server idl positive python with ssl socket
2439: ovsdb-idl.at:1452 simple idl verify notify - Python2 - SSL
ovsdb server idl positive python with ssl socket notify
## -- ##
## Detailed failed tests. ##
## -- ##
# -*- compilation -*-
2108. ovsdb-idl.at:351: testing simple idl, initially empty, various ops -
Python2 - SSL ...
../../tests/ovsdb-idl.at:351: ovsdb-tool create db $abs_srcdir/idltest.ovsschema
stderr:
stdout:
../../tests/ovsdb-idl.at:351: ovsdb-server -vconsole:warn --log-file --detach
--no-chdir \
--pidfile \
--private-key=$PKIDIR/testpki-privkey2.pem \
--certificate=$PKIDIR/testpki-cert2.pem \
--ca-cert=$PKIDIR/testpki-cacert.pem \
--remote=pssl:0:127.0.0.1 db
ovsdb-idl.at:351: waiting until TCP_PORT=`sed -n 's/.*0:.*: listening on port
\([0-9]*\)$/\1/p' "ovsdb-server.log"` && test X != X"$TCP_PORT"...
ovsdb-idl.at:351: wait succeeded immediately
../../tests/ovsdb-idl.at:351: $PYTHON $srcdir/test-ovsdb.py -t10 idl
$srcdir/idltest.ovsschema \
ssl:127.0.0.1:$TCP_PORT $PKIDIR/testpki-privkey.pem \
$PKIDIR/testpki-cert.pem $PKIDIR/testpki-cacert.pem '["idltest",
{"op": "insert",
"table": "simple",
"row": {"i": 1,
"r": 2.0,
"b": true,
"s": "mystring",
"u": ["uuid", "84f5c8f5-ac76-4dbc-a24f-8860eb407fc1"],
"ia": ["set", [1, 2, 3]],
"ra": ["set", [-0.5]],
"ba": ["set", [true]],
"sa": ["set", ["abc", "def"]],
"ua": ["set", [["uuid", "69443985-7806-45e2-b35f-574a04e720f9"],
["uuid",
"aad11ef0-816a-4b01-93e6-03b8b4256b98"]]]}},
{"op": "insert",
"table": "simple",
"row": {}}]' \
'["idltest",
{"op": "update",
"table": "simple",
"where": [],
"row": {"b": true}}]' \
'["idltest",
{"op": "update",
"table": "simple",
"where": [],
"row": {"r": 123.5}}]' \
'["idltest",
{"op": "insert",
"table": "simple",
"row": {"i": -1,
"r": 125,
"b": false,
"s": "",
"ia": ["set", [1]],
"ra": ["set", [1.5]],
"ba": ["set", [false]],
"sa": ["set", []],
"ua": ["set", []]}}]' \
'["idltest",
{"op": "update",
"table": "simple",
"where": [["i", "<", 1]],
"row": {"s": "newstring"}}]' \
'["idltest",
{"op": "delete",
"table": "simple",
"where": [["i", "==", 0]]}]' \
'reconnect'
stderr:
2019-07-10T19:57:50Z | 0 | reconnect | DBG | ssl:127.0.0.1:38627: entering
BACKOFF
2019-07-10T19:57:50Z | 1 | poller | DBG | [POLLOUT] on fd 3
2019-07-10T19:57:50Z | 2 | poller | DBG | [POLLOUT] on fd 3
2019-07-10T19:57:50Z | 3 | poller | DBG | [POLLOUT] on fd 3
2019-07-10T19:57:50Z | 4 | poller | DBG | [POLLOUT] on fd 3
2019-07-10T19:57:50Z | 5 | poller | DBG | [POLLOUT] on fd 3
2019-07-10T19:57:50Z | 6 | poller | DBG | [POLLOUT] on fd 3
2019-07-10T19:57:50Z | 7 | poller | DBG | [POLLOUT] on fd 3
2019-07-10T19:57:50Z | 8 | poller | DBG | [POLLOUT] on fd 3
2019-07-10T19:57:50Z | 9 | poller | DBG | [POLLOUT] on fd 3
2019-07-10T19:57:50Z | 10 | poller | DBG | [POLLOUT] on fd 3
2019-07-10T19:57:50Z | 11 | poller | DBG | [POLLOUT] on fd 3
2019-07-10T19:57:50Z | 12 | poller | DBG | [POLLOUT] on fd 3
2019-07-10T19:57:50Z | 13 | poller | DBG | [POLLOUT] on fd 3
2019-07-10T19:57:50Z | 14 | poller | DBG | [POLLOUT] on fd 3
2019-07-10T19:57:50Z | 15 | reconnect | INFO | ssl:127.0.0.1:38627:
connecting...
2019-07-10T19:57:50Z | 16 | reconnect | DBG | ssl:127.0.0.1:38627: entering
CONNECTING
2019-07-10T19:57:50Z | 17 | poller | DBG | [POLLOUT] on fd 4
2019-07-10T19:57:50Z | 18 | poller | DBG | [POLLOUT] on fd 4
2019-07-10T19:57:50Z | 19 | poller | DBG | [POLLOUT] on fd 4
2019-07-10T19:57:50Z | 20 | poller | DBG | [POLLOUT] on fd
Re: [ovs-dev] [PATCH] Shutdown SSL connection before closing socket
from __future__ import print_function
import sys
from ovs import jsonrpc
from ovs import stream
from ovs.unixctl import client
URI='ssl:127.0.0.1:6641'
PRIV='sandbox/ovnnb-privkey.pem'
CERT='sandbox/ovnnb-cert.pem'
CACERT='sandbox/pki/switchca/cacert.pem'
stream.Stream.ssl_set_private_key_file(PRIV)
stream.Stream.ssl_set_certificate_file(CERT)
stream.Stream.ssl_set_ca_cert_file(CACERT)
class SSLClient(client.UnixctlClient):
@classmethod
def create(cls, uri):
error, _stream = stream.Stream.open_block(
stream.Stream.open(uri))
if error:
client.vlog.warn("failed to connect to %s" % path)
return error, None
return 0, cls(jsonrpc.Connection(_stream))
_, c = SSLClient.create(URI)
print(c.transact("echo", ["hello world"]))
c.close()
On Wed, Jul 10, 2019 at 12:17 PM Mark Michelson wrote:
> On 7/10/19 12:11 PM, Terry Wilson wrote:
> > An example of a reproducer script attached. If you enable SSL and OVN w/
> > the sandbox and run it, looking in the sandbox/nb1.log you'll see the
> > disconnect errors that the patch makes go away.
> >
>
> Hi Terry. It looks like the mailing list has eaten your attachment. If
> possible, can you include it in-line?
>
> > On Wed, Jul 10, 2019 at 11:07 AM Terry Wilson
> wrote:
> >
> >> Without shutting down the SSL connection, log messages like:
> >>
> >> stream_ssl|WARN|SSL_read: unexpected SSL connection close
> >> jsonrpc|WARN|ssl:127.0.0.1:47052: receive error: Protocol error
> >> reconnect|WARN|ssl:127.0.0.1:47052: connection dropped (Protocol error)
> >>
> >> would occur whenever the socket is closed. This just adds an
> >> SSLStream.close() that calls shutdown() and ignores read/write
> >> errors.
> >>
> >> Signed-off-by: Terry Wilson
> >> ---
> >> python/ovs/stream.py | 8
> >> 1 file changed, 8 insertions(+)
> >>
> >> diff --git a/python/ovs/stream.py b/python/ovs/stream.py
> >> index c15be4b..fd1045e 100644
> >> --- a/python/ovs/stream.py
> >> +++ b/python/ovs/stream.py
> >> @@ -825,6 +825,14 @@ class SSLStream(Stream):
> >> except SSL.SysCallError as e:
> >> return -ovs.socket_util.get_exception_errno(e)
> >>
> >> +def close(self):
> >> +if self.socket:
> >> +try:
> >> +self.socket.shutdown()
> >> +except (SSL.WantReadError, SSL.WantWriteError):
> >> +pass
> >> +return super(SSLStream, self).close()
> >> +
> >>
> >> if SSL:
> >> # Register SSL only if the OpenSSL module is available
> >> --
> >> 1.8.3.1
> >>
> >>
> >>
> >> ___
> >> dev mailing list
> >> d...@openvswitch.org
> >> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>
>
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH] Shutdown SSL connection before closing socket
On 7/10/19 12:11 PM, Terry Wilson wrote: An example of a reproducer script attached. If you enable SSL and OVN w/ the sandbox and run it, looking in the sandbox/nb1.log you'll see the disconnect errors that the patch makes go away. Hi Terry. It looks like the mailing list has eaten your attachment. If possible, can you include it in-line? On Wed, Jul 10, 2019 at 11:07 AM Terry Wilson wrote: Without shutting down the SSL connection, log messages like: stream_ssl|WARN|SSL_read: unexpected SSL connection close jsonrpc|WARN|ssl:127.0.0.1:47052: receive error: Protocol error reconnect|WARN|ssl:127.0.0.1:47052: connection dropped (Protocol error) would occur whenever the socket is closed. This just adds an SSLStream.close() that calls shutdown() and ignores read/write errors. Signed-off-by: Terry Wilson --- python/ovs/stream.py | 8 1 file changed, 8 insertions(+) diff --git a/python/ovs/stream.py b/python/ovs/stream.py index c15be4b..fd1045e 100644 --- a/python/ovs/stream.py +++ b/python/ovs/stream.py @@ -825,6 +825,14 @@ class SSLStream(Stream): except SSL.SysCallError as e: return -ovs.socket_util.get_exception_errno(e) +def close(self): +if self.socket: +try: +self.socket.shutdown() +except (SSL.WantReadError, SSL.WantWriteError): +pass +return super(SSLStream, self).close() + if SSL: # Register SSL only if the OpenSSL module is available -- 1.8.3.1 ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH] Shutdown SSL connection before closing socket
An example of a reproducer script attached. If you enable SSL and OVN w/ the sandbox and run it, looking in the sandbox/nb1.log you'll see the disconnect errors that the patch makes go away. On Wed, Jul 10, 2019 at 11:07 AM Terry Wilson wrote: > Without shutting down the SSL connection, log messages like: > > stream_ssl|WARN|SSL_read: unexpected SSL connection close > jsonrpc|WARN|ssl:127.0.0.1:47052: receive error: Protocol error > reconnect|WARN|ssl:127.0.0.1:47052: connection dropped (Protocol error) > > would occur whenever the socket is closed. This just adds an > SSLStream.close() that calls shutdown() and ignores read/write > errors. > > Signed-off-by: Terry Wilson > --- > python/ovs/stream.py | 8 > 1 file changed, 8 insertions(+) > > diff --git a/python/ovs/stream.py b/python/ovs/stream.py > index c15be4b..fd1045e 100644 > --- a/python/ovs/stream.py > +++ b/python/ovs/stream.py > @@ -825,6 +825,14 @@ class SSLStream(Stream): > except SSL.SysCallError as e: > return -ovs.socket_util.get_exception_errno(e) > > +def close(self): > +if self.socket: > +try: > +self.socket.shutdown() > +except (SSL.WantReadError, SSL.WantWriteError): > +pass > +return super(SSLStream, self).close() > + > > if SSL: > # Register SSL only if the OpenSSL module is available > -- > 1.8.3.1 > > ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
[ovs-dev] [PATCH] Shutdown SSL connection before closing socket
Without shutting down the SSL connection, log messages like: stream_ssl|WARN|SSL_read: unexpected SSL connection close jsonrpc|WARN|ssl:127.0.0.1:47052: receive error: Protocol error reconnect|WARN|ssl:127.0.0.1:47052: connection dropped (Protocol error) would occur whenever the socket is closed. This just adds an SSLStream.close() that calls shutdown() and ignores read/write errors. Signed-off-by: Terry Wilson --- python/ovs/stream.py | 8 1 file changed, 8 insertions(+) diff --git a/python/ovs/stream.py b/python/ovs/stream.py index c15be4b..fd1045e 100644 --- a/python/ovs/stream.py +++ b/python/ovs/stream.py @@ -825,6 +825,14 @@ class SSLStream(Stream): except SSL.SysCallError as e: return -ovs.socket_util.get_exception_errno(e) +def close(self): +if self.socket: +try: +self.socket.shutdown() +except (SSL.WantReadError, SSL.WantWriteError): +pass +return super(SSLStream, self).close() + if SSL: # Register SSL only if the OpenSSL module is available -- 1.8.3.1 ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
