From bd9ad989ffe883e86e89753e2864004f7e2d29ac Mon Sep 17 00:00:00 2001 From: jbjohnso Date: Mon, 31 Mar 2008 14:21:16 +0000 Subject: [PATCH] -Fix xcatd DoS/SSL negotiation global hang git-svn-id: https://svn.code.sf.net/p/xcat/code/xcat-core/trunk@943 8638fb3e-16cb-4fca-ae20-7b5d299a9bcd --- xCAT-server-2.0/sbin/xcatd | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/xCAT-server-2.0/sbin/xcatd b/xCAT-server-2.0/sbin/xcatd index c55fc7875..38eb0824c 100755 --- a/xCAT-server-2.0/sbin/xcatd +++ b/xCAT-server-2.0/sbin/xcatd @@ -371,14 +371,10 @@ unless ($pid) { } $$progname="xcatd: SSL listener"; openlog("xCAT SSL","","local4"); -my $listener = IO::Socket::SSL->new( +my $listener = IO::Socket::INET->new( LocalPort => $port, Listen => 64, Reuse => 1, - SSL_key_file=>$xcatdir."/cert/server-key.pem", - SSL_cert_file=>$xcatdir."/cert/server-cert.pem", - SSL_ca_file=>$xcatdir."/cert/ca.pem", - SSL_verify_mode=> 1 ); unless ($listener) { @@ -397,7 +393,8 @@ xCAT_monitoring::monitorctrl::start($$); my $peername; until ($quit) { - next unless my $connection=$listener->accept; + next unless my $cnnection=$listener->accept; + my $connection; my $child = xCAT::Utils->xfork(); #Yes we fork, IO::Socket::SSL is not threadsafe.. unless (defined $child) { @@ -406,6 +403,13 @@ until ($quit) { if ($child == 0) { $listener->close; + $connection = IO::Socket::SSL->start_SSL($cnnection, + SSL_key_file=>$xcatdir."/cert/server-key.pem", + SSL_cert_file=>$xcatdir."/cert/server-cert.pem", + SSL_ca_file=>$xcatdir."/cert/ca.pem", + SSL_server=>1, + SSL_verify_mode=> 1 + ); my $peerhost=undef; my $peer=$connection->peer_certificate("owner"); if ($peer) { @@ -438,7 +442,7 @@ if ($inet6support) { service_connection($connection,$peername,$peerhost); exit(0); } - $connection->close(SSL_no_shutdown => 1); #Without no shutdown, you can guess what the client ends up thinking.. + $cnnection->close(); } $listener->close;