Improve error handling during ssl handshake.

Previously if do_handshake raised an error not in CONNRESET,
the socket would not be closed properly and the server would start
using 100% of the cpu.

Also handle EBADF errors from do_handshake without logging since
they can be generated by some modes of nmap scans.

diff --git a/tornado/iostream.py b/tornado/iostream.py
index 3ebcd586fcdc8c8cc0b03dd8e72f4965460e6304..059e4e93f663abd8382c1b0103a1f4c86204eb6b 100644 (file)
--- a/tornado/iostream.py
+++ b/tornado/iostream.py
@@ -1184,8 +1184,14 @@ class SSLIOStream(IOStream):
                 return self.close(exc_info=True)
             raise
         except socket.error as err:
-            if err.args[0] in _ERRNO_CONNRESET:
+            # Some port scans (e.g. nmap in -sT mode) have been known
+            # to cause do_handshake to raise EBADF, so make that error
+            # quiet as well.
+            # https://groups.google.com/forum/?fromgroups#!topic/python-tornado/ApucKJat1_0
+            if (err.args[0] in _ERRNO_CONNRESET or
+                err.args[0] == errno.EBADF):
                 return self.close(exc_info=True)
+            raise
         except AttributeError:
             # On Linux, if the connection was reset before the call to
             # wrap_socket, do_handshake will fail with an