From: Ben Darnell <ben@bendarnell.com>
Date: Fri, 25 Jul 2014 03:41:49 +0000 (-0400)
Subject: Improve error handling during ssl handshake.
X-Git-Tag: v4.1.0b1~122
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7b62519b0cc4cbcf64eea6cf82d218039c8d9804;p=thirdparty%2Ftornado.git

Improve error handling during ssl handshake.

Previously if do_handshake raised an error not in CONNRESET,
the socket would not be closed properly and the server would start
using 100% of the cpu.

Also handle EBADF errors from do_handshake without logging since
they can be generated by some modes of nmap scans.
---

diff --git a/tornado/iostream.py b/tornado/iostream.py
index 3ebcd586f..059e4e93f 100644
--- a/tornado/iostream.py
+++ b/tornado/iostream.py
@@ -1184,8 +1184,14 @@ class SSLIOStream(IOStream):
                 return self.close(exc_info=True)
             raise
         except socket.error as err:
-            if err.args[0] in _ERRNO_CONNRESET:
+            # Some port scans (e.g. nmap in -sT mode) have been known
+            # to cause do_handshake to raise EBADF, so make that error
+            # quiet as well.
+            # https://groups.google.com/forum/?fromgroups#!topic/python-tornado/ApucKJat1_0
+            if (err.args[0] in _ERRNO_CONNRESET or
+                err.args[0] == errno.EBADF):
                 return self.close(exc_info=True)
+            raise
         except AttributeError:
             # On Linux, if the connection was reset before the call to
             # wrap_socket, do_handshake will fail with an