瀏覽代碼

HPCC-17255 Secure dafilesrv timeouts

Signed-off-by: Mark Kelly <mark.kelly@lexisnexisrisk.com>
Mark Kelly 8 年之前
父節點
當前提交
f519e6b82d

+ 3 - 2
common/remote/rmtfile.cpp

@@ -336,8 +336,9 @@ unsigned getDaliServixVersion(const SocketEndpoint &_ep,StringBuffer &ver)
     SocketEndpoint ep(_ep);
     setDafsEndpointPort(ep);
     if (ep.isNull())
-        return false;
-    try {
+        return 0;
+    try
+    {
         Owned<ISocket> socket = ISocket::connect_timeout(ep,10000);
         return getRemoteVersion(socket,ver);
     }

+ 16 - 0
common/remote/sockfile.cpp

@@ -2588,6 +2588,22 @@ unsigned getRemoteVersion(ISocket * socket, StringBuffer &ver)
     // used to have a global critical section here
     if (!socket)
         return 0;
+
+    Owned<ISecureSocket> ssock;
+
+    if (securitySettings.useSSL && !socket->isSecure())
+    {
+#ifdef _USE_OPENSSL
+        ssock.setown(createSecureSocket(LINK(socket), ClientSocket));
+        int status = ssock->secure_connect();
+        if (status < 0)
+            throw createDafsException(DAFSERR_connection_failed,"Failure to establish secure connection");
+        socket = ssock;
+#else
+        throw createDafsException(DAFSERR_connection_failed,"Failure to establish secure connection: OpenSSL disabled in build");
+#endif
+    }
+
     unsigned ret;
     MemoryBuffer sendbuf;
     initSendBuffer(sendbuf);

+ 29 - 2
system/jlib/jsocket.cpp

@@ -416,8 +416,10 @@ public:
     bool        set_nagle(bool on);
     void        set_linger(int lingersecs); 
     void        set_keep_alive(bool set);
+    void        logConnectionInfo(unsigned timeoutms, unsigned conn_mstime);
     virtual void set_inherit(bool inherit=false);
     virtual bool check_connection();
+    virtual bool isSecure() const override;
 
     
     // Block functions
@@ -1280,6 +1282,10 @@ bool CSocket::connect_timeout( unsigned timeout, bool noexception)
 #ifdef _TRACE
                 setTraceName();
 #endif              
+#ifdef SOCKTRACE
+                unsigned conn_mstime = (usTick() - startt) / 1000;
+                logConnectionInfo(timeout, conn_mstime);
+#endif
                 return true;
             }
         }
@@ -1426,14 +1432,20 @@ void CSocket::connect_wait(unsigned timems)
             CriticalBlock block(crit);
             --connectingcount;
         }
-        if (err==0) {
+        if (err==0)
+        {
             err = post_connect();
-            if (err==0) {
+            if (err==0)
+            {
                 STATS.connects++;
                 STATS.connecttime+=usTick()-startt;
 #ifdef _TRACE
                 setTraceName();
 #endif              
+#ifdef SOCKTRACE
+                unsigned conn_mstime = (usTick() - startt) / 1000;
+                logConnectionInfo(timems, conn_mstime);
+#endif
                 return;
             }
         }
@@ -2579,6 +2591,21 @@ void CSocket::set_ttl(unsigned _ttl)
     return;
 }
 
+void CSocket::logConnectionInfo(unsigned timeoutms, unsigned conn_mstime)
+{
+    char lname[256];
+    int lport = name(lname, sizeof(lname));
+    char rname[256];
+    int rport = peer_name(rname, sizeof(rname));
+    PROGLOG("SOCKTRACE: connect(%u) - time:%u ms fd:%d l:%s:%d r:%s:%d", timeoutms, conn_mstime, sock, lname, lport, rname, rport);
+    // PrintStackReport();
+}
+
+bool CSocket::isSecure() const
+{
+    return false;
+}
+
 CSocket::~CSocket()
 {
   if (owned) 

+ 1 - 0
system/jlib/jsocket.hpp

@@ -384,6 +384,7 @@ public:
     virtual size32_t udp_write_to(const SocketEndpoint &ep,void const* buf, size32_t size) = 0;
     virtual bool check_connection() = 0;
 
+    virtual bool isSecure() const = 0;
 
 /*
 Exceptions raised: (when set_raise_exceptions(TRUE))

+ 9 - 0
system/security/securesocket/securesocket.cpp

@@ -134,6 +134,7 @@ private:
     bool        m_address_match;
     CStringSet* m_peers;
     int         m_loglevel;
+    bool        m_isSecure;
 private:
     StringBuffer& get_cn(X509* cert, StringBuffer& cn);
     bool verify_cert(X509* cert);
@@ -375,6 +376,10 @@ public:
         throw MakeStringException(-1, "not implemented");
     }
 
+    virtual bool isSecure() const override
+    {
+        return m_isSecure;
+    }
 };
 
 
@@ -390,6 +395,7 @@ CSecureSocket::CSecureSocket(ISocket* sock, SSL_CTX* ctx, bool verify, bool addr
     m_address_match = address_match;
     m_peers = peers;;
     m_loglevel = loglevel;
+    m_isSecure = false;
 
     if(m_ssl == NULL)
     {
@@ -408,6 +414,7 @@ CSecureSocket::CSecureSocket(int sockfd, SSL_CTX* ctx, bool verify, bool address
     m_address_match = address_match;
     m_peers = peers;;
     m_loglevel = loglevel;
+    m_isSecure = false;
 
     if(m_ssl == NULL)
     {
@@ -597,6 +604,7 @@ int CSecureSocket::secure_accept()
 
     }
 
+    m_isSecure = true;
     return 0;
 }
 
@@ -641,6 +649,7 @@ int CSecureSocket::secure_connect()
 
     }
 
+    m_isSecure = true;
     return 0;
 }