Backport two patches to fix ClientSession SSL errors

10 years ago · f6bb05f57d
parent b009416d58
commit f6bb05f57d
3 changed files with 103 additions and 1 deletions
--- a/0001-Be-more-careful-when-detect-cert-expiry-exceptions.patch
+++ b/0001-Be-more-careful-when-detect-cert-expiry-exceptions.patch
@ -0,0 +1,49 @@
 From 9103bda257e235b26bdbeb9198299cbc13a0d515 Mon Sep 17 00:00:00 2001
 From: Ralph Bean <rbean@redhat.com>
 Date: Sat, 15 Aug 2015 14:35:03 -0400
 Subject: [PATCH] Be more careful when detect cert-expiry exceptions.
 We ran into this in the Fedora koji instance today after an upgrade last night.
 The inline comments explain the reasoning
 ---
 koji/__init__.py | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)
 diff --git a/koji/__init__.py b/koji/__init__.py
 index 81064c3..f45ff70 100644
 --- a/koji/__init__.py
 +++ b/koji/__init__.py
@@ -1943,8 +1943,29 @@ class ClientSession(object):
                 except Exception, e:
                     self._close_connection()
                     if isinstance(e, OpenSSL.SSL.Error):
 +                        # pyOpenSSL doesn't use different exception
 +                        # subclasses, we have to actually parse the args
                         for arg in e.args:
 -                            for _, _, ssl_reason in arg:
 +                            # First, check to see if 'arg' is iterable because
 +                            # it can be anything..
 +                            try:
 +                                iter(arg)
 +                            except TypeError:
 +                                continue
 +
 +                            # We do all this so that we can detect cert expiry
 +                            # so we can avoid retrying those over and over.
 +                            for items in arg:
 +                                try:
 +                                    iter(items)
 +                                except TypeError:
 +                                    continue
 +
 +                                if len(items) != 3:
 +                                    continue
 +
 +                                _, _, ssl_reason = items
 +
                                 if ('certificate revoked' in ssl_reason or
                                         'certificate expired' in ssl_reason):
                                     # There's no point in retrying for this
 -- 
 2.5.0
--- a/0001-Better-catch-SSL-errors.patch
+++ b/0001-Better-catch-SSL-errors.patch
@ -0,0 +1,45 @@
 From ab0b2e465d0f8ad930f28eb3a49850afb57250c2 Mon Sep 17 00:00:00 2001
 From: Mathieu Bridon <bochecha@daitauha.fr>
 Date: Thu, 23 Jul 2015 10:19:23 +0200
 Subject: [PATCH] Better catch SSL errors
 Commit 4de27c52de80596d256b059a67d10c7ed5e61238 made Koji to not retry
 on SSL errors.
 However, it turns out that some SSL errors are transient, and Koji
 should still retry for them.
 This commit changes that, so that we are more specific about which SSL
 errors should be fatal: expired or revoked certificates.
 https://bugzilla.redhat.com/show_bug.cgi?id=1207178
 ---
 koji/__init__.py | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)
 diff --git a/koji/__init__.py b/koji/__init__.py
 index fadbada..e7a66f2 100644
 --- a/koji/__init__.py
 +++ b/koji/__init__.py
@@ -1940,11 +1940,15 @@ class ClientSession(object):
                 except (SystemExit, KeyboardInterrupt):
                     #(depending on the python version, these may or may not be subclasses of Exception)
                     raise
 -                except OpenSSL.SSL.Error as e:
 -                    # There's no point in retrying this
 -                    raise
                 except Exception, e:
                     self._close_connection()
 +                    if isinstance(e, OpenSSL.SSL.Error):
 +                        for arg in e.args:
 +                            for _, _, ssl_reason in arg:
 +                                if ('certificate revoked' in ssl_reason or
 +                                        'certificate expired' in ssl_reason):
 +                                    # There's no point in retrying for this
 +                                    raise
                     if not self.logged_in:
                         #in the past, non-logged-in sessions did not retry. For compatibility purposes
                         #this behavior is governed by the anon_retry opt.
 -- 
 2.5.0
--- a/koji.spec
+++ b/koji.spec
@ -9,13 +9,16 @@
 Name: koji
 Version: 1.10.0
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: LGPLv2 and GPLv2+
 # koji.ssl libs (from plague) are GPLv2+
 Summary: Build system tools
 Group: Applications/System
 URL: https://fedorahosted.org/koji
 Patch0: fedora-config.patch
 # Backported upstream patches
 Patch1: 0001-Better-catch-SSL-errors.patch
 Patch2: 0001-Be-more-careful-when-detect-cert-expiry-exceptions.patch
 Source: https://fedorahosted.org/released/koji/koji-%{version}.tar.bz2
 BuildArch: noarch
@ -153,6 +156,8 @@ koji-web is a web UI to the Koji system.
 %prep
 %setup -q
 %patch0 -p1 -b orig
 %patch1 -p1
 %patch2 -p1
 %build
@ -315,6 +320,9 @@ fi
 %endif
 %changelog
 * Thu Sep 24 2015 Kalev Lember <klember@redhat.com> - 1.10.0-2
 - Backport two patches to fix ClientSession SSL errors
 * Thu Jul 16 2015 Dennis Gilmore <dennis@ausil.us> - 1.10.0=1
 - update to 1.10.0 release