From ab0b2e465d0f8ad930f28eb3a49850afb57250c2 Mon Sep 17 00:00:00 2001
From: Mathieu Bridon <bochecha@daitauha.fr>
Date: Thu, 23 Jul 2015 10:19:23 +0200
Subject: [PATCH] Better catch SSL errors

Commit 4de27c52de80596d256b059a67d10c7ed5e61238 made Koji to not retry
on SSL errors.

However, it turns out that some SSL errors are transient, and Koji
should still retry for them.

This commit changes that, so that we are more specific about which SSL
errors should be fatal: expired or revoked certificates.

https://bugzilla.redhat.com/show_bug.cgi?id=1207178
---
 koji/__init__.py | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/koji/__init__.py b/koji/__init__.py
index fadbada..e7a66f2 100644
--- a/koji/__init__.py
+++ b/koji/__init__.py
@@ -1940,11 +1940,15 @@ class ClientSession(object):
                 except (SystemExit, KeyboardInterrupt):
                     #(depending on the python version, these may or may not be subclasses of Exception)
                     raise
-                except OpenSSL.SSL.Error as e:
-                    # There's no point in retrying this
-                    raise
                 except Exception, e:
                     self._close_connection()
+                    if isinstance(e, OpenSSL.SSL.Error):
+                        for arg in e.args:
+                            for _, _, ssl_reason in arg:
+                                if ('certificate revoked' in ssl_reason or
+                                        'certificate expired' in ssl_reason):
+                                    # There's no point in retrying for this
+                                    raise
                     if not self.logged_in:
                         #in the past, non-logged-in sessions did not retry. For compatibility purposes
                         #this behavior is governed by the anon_retry opt.
-- 
2.5.0