1 files changed, 26 insertions, 78 deletions

diff --git a/src/lib/Bcfg2/Client/Proxy.py b/src/lib/Bcfg2/Client/Proxy.py
index a464d6a40..679b4c52b 100644
--- a/src/lib/Bcfg2/Client/Proxy.py
+++ b/src/lib/Bcfg2/Client/Proxy.py
@@ -12,13 +12,9 @@ from Bcfg2.Compat import httplib, xmlrpclib, urlparse, quote_plus
 # M2Crypto instead.
 try:
     import ssl
-    SSL_LIB = 'py26_ssl'
     SSL_ERROR = ssl.SSLError
 except ImportError:
-    from M2Crypto import SSL
-    import M2Crypto.SSL.Checker
-    SSL_LIB = 'm2crypto'
-    SSL_ERROR = SSL.SSLError
+    raise Exception("No SSL module support")
 
 
 version = sys.version_info[:2]
@@ -123,7 +119,7 @@ class SSLHTTPConnection(httplib.HTTPConnection):
     """
 
     def __init__(self, host, port=None, strict=None, timeout=90, key=None,
-                 cert=None, ca=None, scns=None, protocol='xmlrpc/ssl'):
+                 cert=None, ca=None, scns=None, protocol='xmlrpc/tlsv1'):
         """Initializes the `httplib.HTTPConnection` object and stores security
         parameters
 
@@ -148,15 +144,15 @@ class SSLHTTPConnection(httplib.HTTPConnection):
             specify the same file as `cert` if using a file that
             contains both.  See
             http://docs.python.org/library/ssl.html#ssl-certificates
-            for details.  Required if using xmlrpc/ssl with client
-            certificate authentication.
+            for details.  Required if using client certificate
+            authentication.
         cert : string, optional
             The file system path to the local endpoint's SSL
             certificate.  May specify the same file as `cert` if using
             a file that contains both.  See
             http://docs.python.org/library/ssl.html#ssl-certificates
-            for details.  Required if using xmlrpc/ssl with client
-            certificate authentication.
+            for details.  Required if using client certificate
+            authentication.
         ca : string, optional
             The file system path to a set of concatenated certificate
             authority certs, which are used to validate certificates
@@ -187,15 +183,6 @@ class SSLHTTPConnection(httplib.HTTPConnection):
         self.timeout = timeout
 
     def connect(self):
-        """Initiates a connection using previously set attributes."""
-        if SSL_LIB == 'py26_ssl':
-            self._connect_py26ssl()
-        elif SSL_LIB == 'm2crypto':
-            self._connect_m2crypto()
-        else:
-            raise Exception("No SSL module support")
-
-    def _connect_py26ssl(self):
         """Initiates a connection using the ssl module."""
         # check for IPv6
         hostip = socket.getaddrinfo(self.host,
@@ -242,60 +229,11 @@ class SSLHTTPConnection(httplib.HTTPConnection):
                 raise CertificateError(scn)
         self.sock.closeSocket = True
 
-    def _connect_m2crypto(self):
-        """Initiates a connection using the M2Crypto module."""
-
-        if self.protocol == 'xmlrpc/ssl':
-            ctx = SSL.Context('sslv23')
-        elif self.protocol == 'xmlrpc/tlsv1':
-            ctx = SSL.Context('tlsv1')
-        else:
-            self.logger.error("Unknown protocol %s" % (self.protocol))
-            raise Exception("unknown protocol %s" % self.protocol)
-
-        if self.ca:
-            # Use the certificate authority to validate the cert
-            # presented by the server
-            ctx.set_verify(SSL.verify_peer | SSL.verify_fail_if_no_peer_cert,
-                           depth=9)
-            if ctx.load_verify_locations(self.ca) != 1:
-                raise Exception('No CA certs')
-        else:
-            self.logger.warning("No ca is specified. Cannot authenticate the "
-                                "server with SSL.")
-
-        if self.cert and self.key:
-            # A cert/key is defined, use them to support client
-            # authentication to the server
-            ctx.load_cert(self.cert, self.key)
-        elif self.cert:
-            self.logger.warning("SSL cert specfied, but no key. Cannot "
-                                "authenticate this client with SSL.")
-        elif self.key:
-            self.logger.warning("SSL key specfied, but no cert. Cannot "
-                                "authenticate this client with SSL.")
-
-        self.sock = SSL.Connection(ctx)
-        if re.match('\\d+\\.\\d+\\.\\d+\\.\\d+', self.host):
-            # host is ip address
-            try:
-                hostname = socket.gethostbyaddr(self.host)[0]
-            except:
-                # fall back to ip address
-                hostname = self.host
-        else:
-            hostname = self.host
-        try:
-            self.sock.connect((hostname, self.port))
-            # automatically checks cert matches host
-        except M2Crypto.SSL.Checker.WrongHost:
-            wr = sys.exc_info()[1]
-            raise CertificateError(wr)
-
 
 class XMLRPCTransport(xmlrpclib.Transport):
     def __init__(self, key=None, cert=None, ca=None,
-                 scns=None, use_datetime=0, timeout=90):
+                 scns=None, use_datetime=0, timeout=90,
+                 protocol='xmlrpc/tlsv1'):
         if hasattr(xmlrpclib.Transport, '__init__'):
             xmlrpclib.Transport.__init__(self, use_datetime)
         self.key = key
@@ -303,6 +241,7 @@ class XMLRPCTransport(xmlrpclib.Transport):
         self.ca = ca
         self.scns = scns
         self.timeout = timeout
+        self.protocol = protocol
 
     def make_connection(self, host):
         host, self._extra_headers = self.get_host_info(host)[0:2]
@@ -311,7 +250,8 @@ class XMLRPCTransport(xmlrpclib.Transport):
                                  cert=self.cert,
                                  ca=self.ca,
                                  scns=self.scns,
-                                 timeout=self.timeout)
+                                 timeout=self.timeout,
+                                 protocol=self.protocol)
 
     def request(self, host, handler, request_body, verbose=0):
         """Send request to server and return response."""
@@ -354,9 +294,15 @@ class ComponentProxy(xmlrpclib.ServerProxy):
     """Constructs proxies to components. """
 
     options = [
-        Bcfg2.Options.Common.location, Bcfg2.Options.Common.ssl_key,
-        Bcfg2.Options.Common.ssl_cert, Bcfg2.Options.Common.ssl_ca,
+        Bcfg2.Options.Common.location, Bcfg2.Options.Common.ssl_ca,
         Bcfg2.Options.Common.password, Bcfg2.Options.Common.client_timeout,
+        Bcfg2.Options.Common.protocol,
+        Bcfg2.Options.PathOption(
+            '--ssl-key', cf=('communication', 'key'), dest="key",
+            help='Path to SSL key'),
+        Bcfg2.Options.PathOption(
+            cf=('communication', 'certificate'), dest="cert",
+            help='Path to SSL certificate'),
         Bcfg2.Options.Option(
             "-u", "--user", default="root", cf=('communication', 'user'),
             help='The user to provide for authentication'),
@@ -386,10 +332,12 @@ class ComponentProxy(xmlrpclib.ServerProxy):
                 path)
         else:
             url = Bcfg2.Options.setup.server
-        ssl_trans = XMLRPCTransport(Bcfg2.Options.setup.key,
-                                    Bcfg2.Options.setup.cert,
-                                    Bcfg2.Options.setup.ca,
-                                    Bcfg2.Options.setup.ssl_cns,
-                                    Bcfg2.Options.setup.client_timeout)
+        ssl_trans = XMLRPCTransport(
+            key=Bcfg2.Options.setup.key,
+            cert=Bcfg2.Options.setup.cert,
+            ca=Bcfg2.Options.setup.ca,
+            scns=Bcfg2.Options.setup.ssl_cns,
+            timeout=Bcfg2.Options.setup.client_timeout,
+            protocol=Bcfg2.Options.setup.protocol)
         xmlrpclib.ServerProxy.__init__(self, url,
                                        allow_none=True, transport=ssl_trans)