From 38f07252f837013fe87eff7936d2c39986ada3e7 Mon Sep 17 00:00:00 2001 From: Jarrod Johnson Date: Tue, 20 May 2014 09:41:55 -0400 Subject: [PATCH] Defer ssl wrap until after accept() ssl wrap prior to accept causes accept() to be too complicated to stay in the persistent thread and makes key changes require restart to pickup. Call the wrap_socket within the dedicated client thread so that it gets up to date at the right time and picks up certificate changes in a timely fashion. --- confluent_server/confluent/sockapi.py | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/confluent_server/confluent/sockapi.py b/confluent_server/confluent/sockapi.py index 3e29ba49..72c59b41 100644 --- a/confluent_server/confluent/sockapi.py +++ b/confluent_server/confluent/sockapi.py @@ -197,16 +197,20 @@ def _tlshandler(): plainsocket = socket.socket(socket.AF_INET6) plainsocket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) plainsocket.setsockopt(socket.IPPROTO_TCP, socket.TCP_NODELAY, 1) - srv = ssl.wrap_socket(plainsocket, keyfile="/etc/confluent/privkey.pem", + plainsocket.bind(('::', 13001, 0, 0)) + plainsocket.listen(5) + while (1): # TODO: exithook + cnn, addr = plainsocket.accept() + eventlet.spawn_n(_tlsstartup, cnn) + + +def _tlsstartup(cnn): + authname = None + cnn = ssl.wrap_socket(cnn, keyfile="/etc/confluent/privkey.pem", certfile="/etc/confluent/srvcert.pem", ssl_version=ssl.PROTOCOL_TLSv1, server_side=True) - srv.bind(('::', 13001, 0, 0)) - srv.listen(5) - authname = None - while (1): # TODO: exithook - cnn, addr = srv.accept() - eventlet.spawn_n(sessionhdl, cnn, authname) + sessionhdl(cnn, authname) def _unixdomainhandler():