diff options
author | Narayan Desai <desai@mcs.anl.gov> | 2006-06-02 21:08:53 +0000 |
---|---|---|
committer | Narayan Desai <desai@mcs.anl.gov> | 2006-06-02 21:08:53 +0000 |
commit | b36e11a35e722cddeccfd1c4cd92a9d6dc623d7e (patch) | |
tree | 34c7a42b7db51976d6ebc2b41ad51bb0cf5d2105 /src/lib/Server/Component.py | |
parent | 8a9a0968340d998bc46195bde54e28d57f5f8850 (diff) | |
download | bcfg2-b36e11a35e722cddeccfd1c4cd92a9d6dc623d7e.tar.gz bcfg2-b36e11a35e722cddeccfd1c4cd92a9d6dc623d7e.tar.bz2 bcfg2-b36e11a35e722cddeccfd1c4cd92a9d6dc623d7e.zip |
Initial checkin of peer SSL cert checks
git-svn-id: https://svn.mcs.anl.gov/repos/bcfg/trunk/bcfg2@1869 ce84e21b-d406-0410-9b95-82705330c041
Diffstat (limited to 'src/lib/Server/Component.py')
-rw-r--r-- | src/lib/Server/Component.py | 41 |
1 files changed, 37 insertions, 4 deletions
diff --git a/src/lib/Server/Component.py b/src/lib/Server/Component.py index 73f28446e..3315276b2 100644 --- a/src/lib/Server/Component.py +++ b/src/lib/Server/Component.py @@ -51,13 +51,45 @@ class SSLServer(BaseHTTPServer.HTTPServer): def __init__(self, address, keyfile, handler): SocketServer.BaseServer.__init__(self, address, handler) ctxt = OpenSSL.SSL.Context(OpenSSL.SSL.SSLv23_METHOD) - ctxt.use_privatekey_file (keyfile) - ctxt.use_certificate_file(keyfile) + ctxt.use_privatekey_file ('/tmp/keys/server.pkey') + ctxt.use_certificate_file('/tmp/keys/server.cert') + ctxt.load_verify_locations('/tmp/keys/CA.cert') + ctxt.set_verify(OpenSSL.SSL.VERIFY_PEER, self.verify_cb) self.socket = OpenSSL.SSL.Connection(ctxt, socket.socket(self.address_family, self.socket_type)) self.server_bind() self.server_activate() + def verify_cb(self, conn, cert, errnum, depth, ok): + '''handle cerificate verification''' + print "here" + print 'Got cert: %s' % (cert.get_subject()) + print cert.get_pubkey() + return ok + + +# print cert.subject_name_hash() +# +# print dir(cert.get_pubkey()) +# return ok + + def handle_request(self): + """Handle one request, possibly blocking.""" + try: + request, client_address = self.get_request() + except socket.error: + return + if self.verify_request(request, client_address): + try: + self.process_request(request, client_address) + except Exception, err: + print err + if err[0][0][0] == 'SSL routines': + log.error("%s from %s" % (err[0][0][2], client_address[0])) + else: + log.error("Unknown socket I/O failure from %s" % (client_address[0]), exc_info=1) + self.close_request(request) + class Component(SSLServer, SimpleXMLRPCServer.SimpleXMLRPCDispatcher): """Cobalt component providing XML-RPC access""" @@ -93,7 +125,8 @@ class Component(SSLServer, else: location = (socket.gethostname(), 0) try: - keyfile = self.cfile.get('communication', 'key') + #keyfile = self.cfile.get('communication', 'key') + keyfile = '/tmp/keys/server.pkey' except ConfigParser.NoOptionError: print "No key specified in cobalt.conf" raise SystemExit, 1 @@ -103,7 +136,7 @@ class Component(SSLServer, try: SSLServer.__init__(self, location, keyfile, CobaltXMLRPCRequestHandler) except: - self.logger.error("Failed to load ssl key %s" % (keyfile)) + self.logger.error("Failed to load ssl key %s" % (keyfile), exc_info=1) raise ComponentInitError SimpleXMLRPCServer.SimpleXMLRPCDispatcher.__init__(self) self.logRequests = 0 |