Re: [ovs-dev] [PATCH] Shutdown SSL connection before closing socket
Sorry about that. The dangers of multiple windows and multiple ovs directories. "Why is this passing for me?!" Oh... The new patch just ignores all SSL errors like lib/stream-ssl.c's ssl_close() instead of just the want read/write. On Wed, Jul 10, 2019 at 2:59 PM Ben Pfaff wrote: > On Wed, Jul 10, 2019 at 11:07:16AM -0500, Terry Wilson wrote: > > Without shutting down the SSL connection, log messages like: > > > > stream_ssl|WARN|SSL_read: unexpected SSL connection close > > jsonrpc|WARN|ssl:127.0.0.1:47052: receive error: Protocol error > > reconnect|WARN|ssl:127.0.0.1:47052: connection dropped (Protocol error) > > > > would occur whenever the socket is closed. This just adds an > > SSLStream.close() that calls shutdown() and ignores read/write > > errors. > > > > Signed-off-by: Terry Wilson > > Thanks for the patch. > > With this applied, I get two test failures, details below. > > ## ## > ## Summary of the failures. ## > ## ## > Failed tests: > openvswitch 2.11.90 test suite test groups: > > NUM: FILE-NAME:LINE TEST-GROUP-NAME > KEYWORDS > > 2108: ovsdb-idl.at:351 simple idl, initially empty, various ops - > Python2 - SSL > ovsdb server idl positive python with ssl socket > 2439: ovsdb-idl.at:1452 simple idl verify notify - Python2 - SSL > ovsdb server idl positive python with ssl socket notify > > ## -- ## > ## Detailed failed tests. ## > ## -- ## > > # -*- compilation -*- > 2108. ovsdb-idl.at:351: testing simple idl, initially empty, various ops > - Python2 - SSL ... > ../../tests/ovsdb-idl.at:351: ovsdb-tool create db > $abs_srcdir/idltest.ovsschema > stderr: > stdout: > ../../tests/ovsdb-idl.at:351: ovsdb-server -vconsole:warn --log-file > --detach --no-chdir \ > --pidfile \ > --private-key=$PKIDIR/testpki-privkey2.pem \ > --certificate=$PKIDIR/testpki-cert2.pem \ > --ca-cert=$PKIDIR/testpki-cacert.pem \ > --remote=pssl:0:127.0.0.1 db > ovsdb-idl.at:351: waiting until TCP_PORT=`sed -n 's/.*0:.*: listening on > port \([0-9]*\)$/\1/p' "ovsdb-server.log"` && test X != X"$TCP_PORT"... > ovsdb-idl.at:351: wait succeeded immediately > ../../tests/ovsdb-idl.at:351: $PYTHON $srcdir/test-ovsdb.py -t10 idl > $srcdir/idltest.ovsschema \ > ssl:127.0.0.1:$TCP_PORT $PKIDIR/testpki-privkey.pem \ > $PKIDIR/testpki-cert.pem $PKIDIR/testpki-cacert.pem > '["idltest", > {"op": "insert", >"table": "simple", >"row": {"i": 1, >"r": 2.0, >"b": true, >"s": "mystring", >"u": ["uuid", "84f5c8f5-ac76-4dbc-a24f-8860eb407fc1"], >"ia": ["set", [1, 2, 3]], >"ra": ["set", [-0.5]], >"ba": ["set", [true]], >"sa": ["set", ["abc", "def"]], >"ua": ["set", [["uuid", > "69443985-7806-45e2-b35f-574a04e720f9"], > ["uuid", > "aad11ef0-816a-4b01-93e6-03b8b4256b98"]]]}}, > {"op": "insert", >"table": "simple", >"row": {}}]' \ > '["idltest", > {"op": "update", >"table": "simple", >"where": [], >"row": {"b": true}}]' \ > '["idltest", > {"op": "update", >"table": "simple", >"where": [], >"row": {"r": 123.5}}]' \ > '["idltest", > {"op": "insert", >"table": "simple", >"row": {"i": -1, >"r": 125, >"b": false, >"s": "", >"ia": ["set", [1]], >"ra": ["set", [1.5]], >"ba": ["set", [false]], >"sa": ["set", []], >"ua": ["set", []]}}]' \ > '["idltest", > {"op": "update", >"table": "simple", >"where": [["i", "<", 1]], >"row": {"s": "newstring"}}]' \ > '["idltest", > {"op": "delete", >"table": "simple", >"where": [["i", "==", 0]]}]' \ > 'reconnect' > stderr: > 2019-07-10T19:57:50Z | 0 | reconnect | DBG | ssl:127.0.0.1:38627: > entering BACKOFF > 2019-07-10T19:57:50Z | 1 | poller | DBG | [POLLOUT] on fd 3 > 2019-07-10T19:57:50Z | 2 | poller | DBG | [POLLOUT] on fd 3 > 2019-07-10T19:57:50Z | 3 | poller | DBG | [POLLOUT] on fd 3 > 2019-07-10T19:57:50Z | 4 | poller | DBG | [POLLOUT] on fd 3 > 2019-07-10T19:57:50Z | 5 | poller | DBG | [POLLOUT] on fd 3 > 2019-07-10T19:57:50Z | 6 | poller | DBG | [POLLOUT] on fd 3 > 2019-07-10T19:57:50Z | 7 | poller | DBG | [POLLOUT] on fd 3 > 2019-07-10T19:57:50Z | 8 | poller | DBG | [POLLOUT] on fd 3 > 2019-07-10T19:57:50Z | 9 | poller | DBG | [POLLOUT] on fd 3 > 2019-07-10T19:57:50Z | 10 | poller | DBG | [POLLOUT] on fd 3 > 2019-07-10T19:57:50Z | 11 | poller | DBG | [POLLOUT] on fd 3 > 2019-07-10T19:57:50Z | 12 | poller | DBG | [POLLOUT] on fd 3 > 2019-07-10T19:57:50Z | 13
Re: [ovs-dev] [PATCH] Shutdown SSL connection before closing socket
On Wed, Jul 10, 2019 at 11:07:16AM -0500, Terry Wilson wrote: > Without shutting down the SSL connection, log messages like: > > stream_ssl|WARN|SSL_read: unexpected SSL connection close > jsonrpc|WARN|ssl:127.0.0.1:47052: receive error: Protocol error > reconnect|WARN|ssl:127.0.0.1:47052: connection dropped (Protocol error) > > would occur whenever the socket is closed. This just adds an > SSLStream.close() that calls shutdown() and ignores read/write > errors. > > Signed-off-by: Terry Wilson Thanks for the patch. With this applied, I get two test failures, details below. ## ## ## Summary of the failures. ## ## ## Failed tests: openvswitch 2.11.90 test suite test groups: NUM: FILE-NAME:LINE TEST-GROUP-NAME KEYWORDS 2108: ovsdb-idl.at:351 simple idl, initially empty, various ops - Python2 - SSL ovsdb server idl positive python with ssl socket 2439: ovsdb-idl.at:1452 simple idl verify notify - Python2 - SSL ovsdb server idl positive python with ssl socket notify ## -- ## ## Detailed failed tests. ## ## -- ## # -*- compilation -*- 2108. ovsdb-idl.at:351: testing simple idl, initially empty, various ops - Python2 - SSL ... ../../tests/ovsdb-idl.at:351: ovsdb-tool create db $abs_srcdir/idltest.ovsschema stderr: stdout: ../../tests/ovsdb-idl.at:351: ovsdb-server -vconsole:warn --log-file --detach --no-chdir \ --pidfile \ --private-key=$PKIDIR/testpki-privkey2.pem \ --certificate=$PKIDIR/testpki-cert2.pem \ --ca-cert=$PKIDIR/testpki-cacert.pem \ --remote=pssl:0:127.0.0.1 db ovsdb-idl.at:351: waiting until TCP_PORT=`sed -n 's/.*0:.*: listening on port \([0-9]*\)$/\1/p' "ovsdb-server.log"` && test X != X"$TCP_PORT"... ovsdb-idl.at:351: wait succeeded immediately ../../tests/ovsdb-idl.at:351: $PYTHON $srcdir/test-ovsdb.py -t10 idl $srcdir/idltest.ovsschema \ ssl:127.0.0.1:$TCP_PORT $PKIDIR/testpki-privkey.pem \ $PKIDIR/testpki-cert.pem $PKIDIR/testpki-cacert.pem '["idltest", {"op": "insert", "table": "simple", "row": {"i": 1, "r": 2.0, "b": true, "s": "mystring", "u": ["uuid", "84f5c8f5-ac76-4dbc-a24f-8860eb407fc1"], "ia": ["set", [1, 2, 3]], "ra": ["set", [-0.5]], "ba": ["set", [true]], "sa": ["set", ["abc", "def"]], "ua": ["set", [["uuid", "69443985-7806-45e2-b35f-574a04e720f9"], ["uuid", "aad11ef0-816a-4b01-93e6-03b8b4256b98"]]]}}, {"op": "insert", "table": "simple", "row": {}}]' \ '["idltest", {"op": "update", "table": "simple", "where": [], "row": {"b": true}}]' \ '["idltest", {"op": "update", "table": "simple", "where": [], "row": {"r": 123.5}}]' \ '["idltest", {"op": "insert", "table": "simple", "row": {"i": -1, "r": 125, "b": false, "s": "", "ia": ["set", [1]], "ra": ["set", [1.5]], "ba": ["set", [false]], "sa": ["set", []], "ua": ["set", []]}}]' \ '["idltest", {"op": "update", "table": "simple", "where": [["i", "<", 1]], "row": {"s": "newstring"}}]' \ '["idltest", {"op": "delete", "table": "simple", "where": [["i", "==", 0]]}]' \ 'reconnect' stderr: 2019-07-10T19:57:50Z | 0 | reconnect | DBG | ssl:127.0.0.1:38627: entering BACKOFF 2019-07-10T19:57:50Z | 1 | poller | DBG | [POLLOUT] on fd 3 2019-07-10T19:57:50Z | 2 | poller | DBG | [POLLOUT] on fd 3 2019-07-10T19:57:50Z | 3 | poller | DBG | [POLLOUT] on fd 3 2019-07-10T19:57:50Z | 4 | poller | DBG | [POLLOUT] on fd 3 2019-07-10T19:57:50Z | 5 | poller | DBG | [POLLOUT] on fd 3 2019-07-10T19:57:50Z | 6 | poller | DBG | [POLLOUT] on fd 3 2019-07-10T19:57:50Z | 7 | poller | DBG | [POLLOUT] on fd 3 2019-07-10T19:57:50Z | 8 | poller | DBG | [POLLOUT] on fd 3 2019-07-10T19:57:50Z | 9 | poller | DBG | [POLLOUT] on fd 3 2019-07-10T19:57:50Z | 10 | poller | DBG | [POLLOUT] on fd 3 2019-07-10T19:57:50Z | 11 | poller | DBG | [POLLOUT] on fd 3 2019-07-10T19:57:50Z | 12 | poller | DBG | [POLLOUT] on fd 3 2019-07-10T19:57:50Z | 13 | poller | DBG | [POLLOUT] on fd 3 2019-07-10T19:57:50Z | 14 | poller | DBG | [POLLOUT] on fd 3 2019-07-10T19:57:50Z | 15 | reconnect | INFO | ssl:127.0.0.1:38627: connecting... 2019-07-10T19:57:50Z | 16 | reconnect | DBG | ssl:127.0.0.1:38627: entering CONNECTING 2019-07-10T19:57:50Z | 17 | poller | DBG | [POLLOUT] on fd 4 2019-07-10T19:57:50Z | 18 | poller | DBG | [POLLOUT] on fd 4 2019-07-10T19:57:50Z | 19 | poller | DBG | [POLLOUT] on fd 4 2019-07-10T19:57:50Z | 20 | poller | DBG | [POLLOUT] on fd
Re: [ovs-dev] [PATCH] Shutdown SSL connection before closing socket
from __future__ import print_function import sys from ovs import jsonrpc from ovs import stream from ovs.unixctl import client URI='ssl:127.0.0.1:6641' PRIV='sandbox/ovnnb-privkey.pem' CERT='sandbox/ovnnb-cert.pem' CACERT='sandbox/pki/switchca/cacert.pem' stream.Stream.ssl_set_private_key_file(PRIV) stream.Stream.ssl_set_certificate_file(CERT) stream.Stream.ssl_set_ca_cert_file(CACERT) class SSLClient(client.UnixctlClient): @classmethod def create(cls, uri): error, _stream = stream.Stream.open_block( stream.Stream.open(uri)) if error: client.vlog.warn("failed to connect to %s" % path) return error, None return 0, cls(jsonrpc.Connection(_stream)) _, c = SSLClient.create(URI) print(c.transact("echo", ["hello world"])) c.close() On Wed, Jul 10, 2019 at 12:17 PM Mark Michelson wrote: > On 7/10/19 12:11 PM, Terry Wilson wrote: > > An example of a reproducer script attached. If you enable SSL and OVN w/ > > the sandbox and run it, looking in the sandbox/nb1.log you'll see the > > disconnect errors that the patch makes go away. > > > > Hi Terry. It looks like the mailing list has eaten your attachment. If > possible, can you include it in-line? > > > On Wed, Jul 10, 2019 at 11:07 AM Terry Wilson > wrote: > > > >> Without shutting down the SSL connection, log messages like: > >> > >> stream_ssl|WARN|SSL_read: unexpected SSL connection close > >> jsonrpc|WARN|ssl:127.0.0.1:47052: receive error: Protocol error > >> reconnect|WARN|ssl:127.0.0.1:47052: connection dropped (Protocol error) > >> > >> would occur whenever the socket is closed. This just adds an > >> SSLStream.close() that calls shutdown() and ignores read/write > >> errors. > >> > >> Signed-off-by: Terry Wilson > >> --- > >> python/ovs/stream.py | 8 > >> 1 file changed, 8 insertions(+) > >> > >> diff --git a/python/ovs/stream.py b/python/ovs/stream.py > >> index c15be4b..fd1045e 100644 > >> --- a/python/ovs/stream.py > >> +++ b/python/ovs/stream.py > >> @@ -825,6 +825,14 @@ class SSLStream(Stream): > >> except SSL.SysCallError as e: > >> return -ovs.socket_util.get_exception_errno(e) > >> > >> +def close(self): > >> +if self.socket: > >> +try: > >> +self.socket.shutdown() > >> +except (SSL.WantReadError, SSL.WantWriteError): > >> +pass > >> +return super(SSLStream, self).close() > >> + > >> > >> if SSL: > >> # Register SSL only if the OpenSSL module is available > >> -- > >> 1.8.3.1 > >> > >> > >> > >> ___ > >> dev mailing list > >> d...@openvswitch.org > >> https://mail.openvswitch.org/mailman/listinfo/ovs-dev > > ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH] Shutdown SSL connection before closing socket
On 7/10/19 12:11 PM, Terry Wilson wrote: An example of a reproducer script attached. If you enable SSL and OVN w/ the sandbox and run it, looking in the sandbox/nb1.log you'll see the disconnect errors that the patch makes go away. Hi Terry. It looks like the mailing list has eaten your attachment. If possible, can you include it in-line? On Wed, Jul 10, 2019 at 11:07 AM Terry Wilson wrote: Without shutting down the SSL connection, log messages like: stream_ssl|WARN|SSL_read: unexpected SSL connection close jsonrpc|WARN|ssl:127.0.0.1:47052: receive error: Protocol error reconnect|WARN|ssl:127.0.0.1:47052: connection dropped (Protocol error) would occur whenever the socket is closed. This just adds an SSLStream.close() that calls shutdown() and ignores read/write errors. Signed-off-by: Terry Wilson --- python/ovs/stream.py | 8 1 file changed, 8 insertions(+) diff --git a/python/ovs/stream.py b/python/ovs/stream.py index c15be4b..fd1045e 100644 --- a/python/ovs/stream.py +++ b/python/ovs/stream.py @@ -825,6 +825,14 @@ class SSLStream(Stream): except SSL.SysCallError as e: return -ovs.socket_util.get_exception_errno(e) +def close(self): +if self.socket: +try: +self.socket.shutdown() +except (SSL.WantReadError, SSL.WantWriteError): +pass +return super(SSLStream, self).close() + if SSL: # Register SSL only if the OpenSSL module is available -- 1.8.3.1 ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH] Shutdown SSL connection before closing socket
An example of a reproducer script attached. If you enable SSL and OVN w/ the sandbox and run it, looking in the sandbox/nb1.log you'll see the disconnect errors that the patch makes go away. On Wed, Jul 10, 2019 at 11:07 AM Terry Wilson wrote: > Without shutting down the SSL connection, log messages like: > > stream_ssl|WARN|SSL_read: unexpected SSL connection close > jsonrpc|WARN|ssl:127.0.0.1:47052: receive error: Protocol error > reconnect|WARN|ssl:127.0.0.1:47052: connection dropped (Protocol error) > > would occur whenever the socket is closed. This just adds an > SSLStream.close() that calls shutdown() and ignores read/write > errors. > > Signed-off-by: Terry Wilson > --- > python/ovs/stream.py | 8 > 1 file changed, 8 insertions(+) > > diff --git a/python/ovs/stream.py b/python/ovs/stream.py > index c15be4b..fd1045e 100644 > --- a/python/ovs/stream.py > +++ b/python/ovs/stream.py > @@ -825,6 +825,14 @@ class SSLStream(Stream): > except SSL.SysCallError as e: > return -ovs.socket_util.get_exception_errno(e) > > +def close(self): > +if self.socket: > +try: > +self.socket.shutdown() > +except (SSL.WantReadError, SSL.WantWriteError): > +pass > +return super(SSLStream, self).close() > + > > if SSL: > # Register SSL only if the OpenSSL module is available > -- > 1.8.3.1 > > ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
[ovs-dev] [PATCH] Shutdown SSL connection before closing socket
Without shutting down the SSL connection, log messages like: stream_ssl|WARN|SSL_read: unexpected SSL connection close jsonrpc|WARN|ssl:127.0.0.1:47052: receive error: Protocol error reconnect|WARN|ssl:127.0.0.1:47052: connection dropped (Protocol error) would occur whenever the socket is closed. This just adds an SSLStream.close() that calls shutdown() and ignores read/write errors. Signed-off-by: Terry Wilson --- python/ovs/stream.py | 8 1 file changed, 8 insertions(+) diff --git a/python/ovs/stream.py b/python/ovs/stream.py index c15be4b..fd1045e 100644 --- a/python/ovs/stream.py +++ b/python/ovs/stream.py @@ -825,6 +825,14 @@ class SSLStream(Stream): except SSL.SysCallError as e: return -ovs.socket_util.get_exception_errno(e) +def close(self): +if self.socket: +try: +self.socket.shutdown() +except (SSL.WantReadError, SSL.WantWriteError): +pass +return super(SSLStream, self).close() + if SSL: # Register SSL only if the OpenSSL module is available -- 1.8.3.1 ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev