OpenStack Object Storage (swift)

SSL handshake can hang WSGI

Bug #795683 reported by Jon Slenk
32
This bug affects 6 people
Affects Status Importance Assigned to Milestone
OpenStack Object Storage (swift)
Won't Fix
Low
Unassigned

Bug Description

Versions of Python before 2.6.6rc1 have http://bugs.python.org/issue5103. This can hang swift/common/wsgi.py. We've locally tested adding "do_handshake_on_connect=False" in ssl.wrap_socket. http://bazaar.launchpad.net/~hudson-openstack/swift/trunk/view/head:/swift/common/wsgi.py#L75. This is a possible denial of service problem. [We're on Bexar, but the relevant code looks to be the same in Diablo.]

See original description
Jon Slenk (jslenk)
description: updated
Revision history for this message
John Dickinson (notmyname) wrote :

can you give us a merge proposal of what you changed?

Revision history for this message
Jon Slenk (jslenk) wrote :

hi, sorry to be obtuse.

lines 75, 76 of swift/common/wsgi.py:
                sock = ssl.wrap_socket(sock, certfile=conf['cert_file'],
                    keyfile=conf['key_file'])

new lines 75, 76 of swift/common/wsgi.py:
                sock = ssl.wrap_socket(sock, certfile=conf['cert_file'],
                    keyfile=conf['key_file'], do_handshake_on_connect=False)

Revision history for this message
Jon Slenk (jslenk) wrote :

(ugh that formatting word-wrap is painful)

Revision history for this message
Jérémy Guermonprez (jguermonprez) wrote :

By using an ssl terminaison, as it seems to be recommended, you don't encounter the problem anymore.
Pound (http://www.apsis.ch/pound) is an open source alternative that seems pretty good.

Revision history for this message
John Dickinson (notmyname) wrote :

There are some other ssl issues I've been looking into lately as well. The summary is that it's a bad idea to terminate ssl on the proxy.

Revision history for this message
John Dickinson (notmyname) wrote :

SSL support is only provided in swift for example purposes. SSL should be terminated external to swift

Changed in swift:
status: New → Won't Fix
importance: Undecided → Low
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.