summaryrefslogtreecommitdiffstats
path: root/doc/unsorted/ssl.txt
blob: 91b62ca59d3d7e5ecee583504bd45cfbc7694681 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
.. -*- mode: rst -*-

.. _unsorted-ssl:

==========
Python SSL
==========

The ssl module can be found `here <http://pypi.python.org/pypi/ssl>`_.

With this change, SSL certificate based client authentication is
supported. In order to use this, based CA-type capabilities are
required. A central CA needs to be created, with each server and all
clients getting a signed cert. See [wiki:Authentication] for details.

Setting up keys is accomplished with three settings, each in the
"`[communication]`" section of ``bcfg2.conf``::

    key = /path/to/ssl private key
    certificate = /path/to/signed cert for that key
    ca = /path/to/cacert.pem


Python SSL Backport Packaging
=============================

Both the Bcfg2 server and client are able to use the in-tree ssl module
included with python 2.6. The client is also able to still use M2Crypto. A
python ssl backport exists for 2.3, 2.4, and 2.5. With this, M2Crypto
is not needed, and tlslite is no longer included with Bcfg2 sources. See
[wiki:Authentication] for details.

To build a package of the ssl backport for .deb based distributions
that don't ship with python 2.6, you can follow these instructions,
which use `stdeb`_. Alternatively if you happen to have .deb packaging
skills, it would be great to get policy-complaint .debs into the major
deb-based distributions.

.. _stdeb: http://github.com/astraw/stdeb/tree/master

The following commands were used to generate :download:`this
<python-ssl_1.14-1_amd64.deb>` debian package The ``easy_install`` command
can be found in the `python-setuptools` package.::

    sudo aptitude install python-all-dev fakeroot
    sudo easy_install stdeb
    wget http://pypi.python.org/packages/source/s/ssl/ssl-1.14.tar.gz#md5=4e08aae0cd2c7388d1b4bbb7f374b14a
    tar xvfz ssl-1.14.tar.gz
    cd ssl-1.14
    stdeb_run_setup
    cd deb_dist/ssl-1.14
    dpkg-buildpackage -rfakeroot -uc -us
    sudo dpkg -i ../python-ssl_1.14-1_amd64.deb

.. note:: Version numbers for the SSL module have changed.

For complete Bcfg2 goodness, you'll also want to package stdeb using stdeb.
The completed debian package can be grabbed from :download:`here
<python-stdeb_0.3-1_all.deb>`, which was generated using the following::

    sudo aptitude install apt-file
    wget http://pypi.python.org/packages/source/s/stdeb/stdeb-0.3.tar.gz#md5=e692f745597dcdd9343ce133e3b910d0
    tar xvfz stdeb-0.3.tar.gz
    cd stdeb-0.3
    stdeb_run_setup
    cd deb_dist/stdeb-0.3
    dpkg-buildpackage -rfakeroot -uc -us
    sudo dpkg -i ../python-stdeb_0.3-1_all.deb