From ca974668ba340af041471df42bb246116d1b2a0c Mon Sep 17 00:00:00 2001 From: Narayan Desai Date: Wed, 24 Jun 2009 16:26:05 +0000 Subject: SSL: Implement protocol selection in bcfg2.conf Add explicit knob to select encryption for client/server connections. The default value is xmlrpc/ssl, but xmlrpc/tlsv1 is also supported (needed to use DOE grid certs) git-svn-id: https://svn.mcs.anl.gov/repos/bcfg/trunk/bcfg2@5297 ce84e21b-d406-0410-9b95-82705330c041 --- src/lib/Proxy.py | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) (limited to 'src/lib/Proxy.py') diff --git a/src/lib/Proxy.py b/src/lib/Proxy.py index 3595b1099..5a52e0af5 100644 --- a/src/lib/Proxy.py +++ b/src/lib/Proxy.py @@ -64,7 +64,7 @@ xmlrpclib._Method = RetryMethod class SSLHTTPConnection(httplib.HTTPConnection): def __init__(self, host, port=None, strict=None, timeout=90, key=None, - cert=None, ca=None, scns=None): + cert=None, ca=None, scns=None, protocol='xmlrpc/ssl'): if not has_py26: httplib.HTTPConnection.__init__(self, host, port, strict) else: @@ -77,6 +77,14 @@ class SSLHTTPConnection(httplib.HTTPConnection): self.ca_mode = ssl.CERT_REQUIRED else: self.ca_mode = ssl.CERT_NONE + if protocol == 'xmlrpc/ssl': + self.ssl_protocol = ssl.PROTOCOL_SSLv23 + elif protocol == 'xmlrpc/tlsv1': + self.ssl_protocol = ssl.PROTOCOL_TLSv1 + else: + self.logger.error("Unknown protocol %s" % (protocol)) + raise Exception, "unknown protocol %s" % protocol + def connect(self): rawsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) @@ -84,7 +92,8 @@ class SSLHTTPConnection(httplib.HTTPConnection): rawsock.settimeout(self.timeout) self.sock = ssl.SSLSocket(rawsock, cert_reqs=self.ca_mode, ca_certs=self.ca, suppress_ragged_eofs=True, - keyfile=self.key, certfile=self.cert) + keyfile=self.key, certfile=self.cert, + ssl_version=self.ssl_protocol) self.sock.connect((self.host, self.port)) pc = self.sock.getpeercert() if pc and self.scns: -- cgit v1.2.3-1-g7c22