[PATCH] Don't retry on SSL failures

Jon jdisnard at gmail.com
Sat Jun 13 03:06:33 UTC 2015 

This appears to work as you intend.

I restored a very old and expired backup copy of my .fedora.cert file.
Then attempted to scratch build an srpm:

$ koji build --scratch --nowait f23
/home/jdisnard/fedora-scm/glmark2/glmark2-2014.03-3.fc23.src.rpm
Error: [('SSL routines', 'SSL3_READ_BYTES', 'sslv3 alert certificate
revoked'), ('SSL routines', 'SSL3_READ_BYTES', 'ssl handshake failure')]


My only question is why the previous OpenSSL import line was commented-out
? Care to speculate? I'm guessing the SSLCommon was enough?


Regardless the patch looks good.

ACK


On Fri, Jun 12, 2015 at 4:26 PM, Mathieu Bridon <bochecha at fedoraproject.org>
wrote:

> From: Mathieu Bridon <bochecha at daitauha.fr>
>
> With the current code, trying to SSL-login with a bad certificate will
> just make it look like the client code is hanging.
>
> That's because it tries and tries again, silently, until it reaches it's
> maximum retry limit.
>
> But in the case of an SSL error, such as an expired client cert, there's
> really no point in retrying.
> ---
>  koji/__init__.py | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/koji/__init__.py b/koji/__init__.py
> index 58971da..9ebe83a 100644
> --- a/koji/__init__.py
> +++ b/koji/__init__.py
> @@ -57,7 +57,7 @@ import xmlrpclib
>  import xml.sax
>  import xml.sax.handler
>  from xmlrpclib import loads, dumps, Fault
> -#import OpenSSL.SSL
> +import OpenSSL
>  import zipfile
>
>  def _(args):
> @@ -1938,6 +1938,9 @@ class ClientSession(object):
>                  except (SystemExit, KeyboardInterrupt):
>                      #(depending on the python version, these may or may
> not be subclasses of Exception)
>                      raise
> +                except OpenSSL.SSL.Error as e:
> +                    # There's no point in retrying this
> +                    raise
>                  except Exception, e:
>                      self._close_connection()
>                      if not self.logged_in:
> --
> 2.4.3
>
> --
> buildsys mailing list
> buildsys at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/buildsys




-- 

-Jon Disnard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/buildsys/attachments/20150612/dfb35e04/attachment.html>

More information about the buildsys mailing list