xpra icon
Bug tracker and wiki

Opened 12 days ago

Closed 12 days ago

Last modified 12 days ago

#1636 closed defect (fixed)

socket activation prevents ssl wrapping

Reported by: Antoine Martin Owned by: Antoine Martin
Priority: critical Milestone: 2.2
Component: server Version: trunk
Keywords: Cc:

Description (last modified by Antoine Martin)

First problem is that despite having --ssl-cert=/etc/xpra/ssl-cert.pem the proxy command line doesn't specify ssl=on.

More importantly, after enabling ssl (and workaround Ubuntu platform bugs: ticket:1521#comment:12), we still get an error:

socket tcp socket: ::ffff:127.0.0.1, 14500, 0, 0 <- ::ffff:127.0.0.1, 53728, 0, 0 peek: got 170 bytes
socket peek="\x16\x03\x01\x00\xa5\x01\x00\x00\xa1\x03\x03v{\xfe{\x87\x881N\xbe\x9d\xaa\x8f\x9dX\xcbo\x85\xdd\xa3\xb9\xcd6\n\x1aY\x0b\xe5\x0b\xab\x10\xaai\x00\x008\xc0,\xc00\x00\x9f\xcc\xa9\xcc\xa8\xcc\xaa\xc0+\xc0/\x00\x9e\xc0$\xc0(\x00k\xc0#\xc0'\x00g\xc0\n\xc0\x14\x009\xc0\t\xc0\x13\x003\x00\x9d\x00\x9c\x00=\x00<\x005\x00/\x00\xff\x01\x00\x00@\x00\x0b\x00\x04\x03\x00\x01\x02\x00\n\x00\x04\x00\x02\x00\x17\x00#\x00\x00\x00\r\x00 \x00\x1e\x06\x01\x06\x02\x06\x03\x05\x01\x05\x02\x05\x03\x04\x01\x04\x02\x04\x03\x03\x01\x03\x02\x03\x03\x02\x01\x02\x02\x02\x03\x00\x16\x00\x00\x00\x17\x00\x00"
socket peek hex=16030100a5010000a10303767bfe7b8788314ebe9daa8f9d58cb6f85dda3b9cd360a1a590be50bab10aa69000038c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff01000040000b000403000102000a00040002001700230000000d0020001e0601060206030501050205030401040204030301030203030201020202030016000000170000
socket peek line1='\x16\x03\x01\x00\xa5\x01\x00\x00\xa1\x03\x03v{\xfe{\x87\x881N\xbe\x9d\xaa\x8f\x9dX\xcbo\x85\xdd\xa3\xb9\xcd6'
do_wrap_socket(<socket object, fd=12, family=10, type=1, protocol=0>, {'do_handshake_on_connect': False, 'suppress_ragged_eofs': True, 'server_side': True})
Traceback (most recent call last):
  File "/usr/lib64/python2.7/site-packages/xpra/scripts/main.py", line 2315, in do_wrap_socket
    ssl_sock = wrap_socket(tcp_socket, **kwargs)
  File "/usr/lib64/python2.7/ssl.py", line 363, in wrap_socket
    _context=self)
  File "/usr/lib64/python2.7/ssl.py", line 569, in __init__
    socket.__init__(self, _sock=sock._sock)
AttributeError: '_socket.socket' object has no attribute '_sock'
Exception in thread new-tcp-connection:
Traceback (most recent call last):
  File "/usr/lib64/python2.7/threading.py", line 804, in __bootstrap_inner
    self.run()
  File "/usr/lib64/python2.7/threading.py", line 757, in run
    self.__target(*self.__args, **self.__kwargs)
  File "/usr/lib64/python2.7/site-packages/xpra/server/server_core.py", line 778, in handle_new_connection
    cont, conn, peek_data = self.may_wrap_socket(conn, socktype, peek_data, line1)
  File "/usr/lib64/python2.7/site-packages/xpra/server/server_core.py", line 847, in may_wrap_socket
    sock = self._ssl_wrap_socket(sock)
  File "/usr/lib64/python2.7/site-packages/xpra/scripts/main.py", line 2321, in do_wrap_socket
    raise InitExit(EXIT_SSL_FAILURE, "Cannot wrap socket %s: %s" % (tcp_socket, e))
InitExit: Cannot wrap socket <socket object, fd=12, family=10, type=1, protocol=0>: '_socket.socket' object has no attribute '_sock'

(this error was only visible after fixing a typo in the error handler: r16806)

Change History (1)

comment:1 Changed 12 days ago by Antoine Martin

Description: modified (diff)
Resolution: fixed
Status: newclosed

r16820 fixes both issues (backport to v2.1.x in r16821):

  • add --ssl=on to proxy command line
  • re-wrap the socket object so we can then use ssl on it (found the clue here: socket vs _socketobject)
Last edited 12 days ago by Antoine Martin (previous) (diff)
Note: See TracTickets for help on using tickets.