From ca974668ba340af041471df42bb246116d1b2a0c Mon Sep 17 00:00:00 2001 From: Narayan Desai Date: Wed, 24 Jun 2009 16:26:05 +0000 Subject: SSL: Implement protocol selection in bcfg2.conf Add explicit knob to select encryption for client/server connections. The default value is xmlrpc/ssl, but xmlrpc/tlsv1 is also supported (needed to use DOE grid certs) git-svn-id: https://svn.mcs.anl.gov/repos/bcfg/trunk/bcfg2@5297 ce84e21b-d406-0410-9b95-82705330c041 --- src/lib/Component.py | 5 +++-- src/lib/Proxy.py | 13 +++++++++++-- src/lib/SSLServer.py | 15 +++++++++++---- src/sbin/bcfg2-server | 2 ++ 4 files changed, 27 insertions(+), 8 deletions(-) (limited to 'src') diff --git a/src/lib/Component.py b/src/lib/Component.py index b3f8a0941..619fab3c5 100644 --- a/src/lib/Component.py +++ b/src/lib/Component.py @@ -25,7 +25,7 @@ class NoExposedMethod (Exception): def run_component (component_cls, location, daemon, pidfile_name, argv=None, register=True, state_name=False, cls_kwargs={}, - extra_getopt='', time_out=10, + extra_getopt='', time_out=10, protocol='xmlrpc/ssl', certfile=None, keyfile=None, ca=None): # default settings @@ -63,7 +63,8 @@ def run_component (component_cls, location, daemon, pidfile_name, argv=None, port = (port[0], int(port[1])) try: server = XMLRPCServer(port, keyfile=keyfile, certfile=certfile, - register=register, timeout=time_out, ca=ca) + register=register, timeout=time_out, ca=ca, + protocol=protocol) except: logger.error("Server startup failed") os._exit(1) diff --git a/src/lib/Proxy.py b/src/lib/Proxy.py index 3595b1099..5a52e0af5 100644 --- a/src/lib/Proxy.py +++ b/src/lib/Proxy.py @@ -64,7 +64,7 @@ xmlrpclib._Method = RetryMethod class SSLHTTPConnection(httplib.HTTPConnection): def __init__(self, host, port=None, strict=None, timeout=90, key=None, - cert=None, ca=None, scns=None): + cert=None, ca=None, scns=None, protocol='xmlrpc/ssl'): if not has_py26: httplib.HTTPConnection.__init__(self, host, port, strict) else: @@ -77,6 +77,14 @@ class SSLHTTPConnection(httplib.HTTPConnection): self.ca_mode = ssl.CERT_REQUIRED else: self.ca_mode = ssl.CERT_NONE + if protocol == 'xmlrpc/ssl': + self.ssl_protocol = ssl.PROTOCOL_SSLv23 + elif protocol == 'xmlrpc/tlsv1': + self.ssl_protocol = ssl.PROTOCOL_TLSv1 + else: + self.logger.error("Unknown protocol %s" % (protocol)) + raise Exception, "unknown protocol %s" % protocol + def connect(self): rawsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) @@ -84,7 +92,8 @@ class SSLHTTPConnection(httplib.HTTPConnection): rawsock.settimeout(self.timeout) self.sock = ssl.SSLSocket(rawsock, cert_reqs=self.ca_mode, ca_certs=self.ca, suppress_ragged_eofs=True, - keyfile=self.key, certfile=self.cert) + keyfile=self.key, certfile=self.cert, + ssl_version=self.ssl_protocol) self.sock.connect((self.host, self.port)) pc = self.sock.getpeercert() if pc and self.scns: diff --git a/src/lib/SSLServer.py b/src/lib/SSLServer.py index 90007cbb9..2ad69218b 100644 --- a/src/lib/SSLServer.py +++ b/src/lib/SSLServer.py @@ -74,7 +74,7 @@ class SSLServer (SocketServer.TCPServer, object): logger = logging.getLogger("Cobalt.Server.TCPServer") def __init__ (self, server_address, RequestHandlerClass, keyfile=None, - certfile=None, reqCert=False, ca=None, timeout=None): + certfile=None, reqCert=False, ca=None, timeout=None, protocol='xmlrpc/ssl'): """Initialize the SSL-TCP server. @@ -118,12 +118,19 @@ class SSLServer (SocketServer.TCPServer, object): self.mode = ssl.CERT_OPTIONAL else: self.mode = ssl.CERT_NONE + if protocol == 'xmlrpc/ssl': + self.ssl_protocol = ssl.PROTOCOL_SSLv23 + elif protocol == 'xmlrpc/tlsv1': + self.ssl_protocol = ssl.PROTOCOL_TLSv1 + else: + self.logger.error("Unknown protocol %s" % (protocol)) + raise Exception, "unknown protocol %s" % protocol def get_request(self): (sock, sockinfo) = self.socket.accept() sslsock = ssl.wrap_socket(sock, server_side=True, certfile=self.certfile, keyfile=self.keyfile, cert_reqs=self.mode, - ca_certs=self.ca) + ca_certs=self.ca, ssl_version=self.ssl_protocol) return sslsock, sockinfo def _get_url (self): @@ -238,7 +245,7 @@ class XMLRPCServer (SocketServer.ThreadingMixIn, SSLServer, """ def __init__ (self, server_address, RequestHandlerClass=None, - keyfile=None, certfile=None, ca=None, + keyfile=None, certfile=None, ca=None, protocol='xmlrpc/ssl', timeout=10, logRequests=False, register=True, allow_none=True, encoding=None): @@ -266,7 +273,7 @@ class XMLRPCServer (SocketServer.ThreadingMixIn, SSLServer, SSLServer.__init__(self, server_address, RequestHandlerClass, ca=ca, - timeout=timeout, keyfile=keyfile, certfile=certfile) + timeout=timeout, keyfile=keyfile, certfile=certfile, protocol=protocol) self.logRequests = logRequests self.serve = False self.register = register diff --git a/src/sbin/bcfg2-server b/src/sbin/bcfg2-server index 1c9eab9ef..22137490d 100755 --- a/src/sbin/bcfg2-server +++ b/src/sbin/bcfg2-server @@ -38,6 +38,7 @@ if __name__ == '__main__': 'static' : Bcfg2.Options.SERVER_STATIC, 'encoding' : Bcfg2.Options.ENCODING, 'filelog' : Bcfg2.Options.LOGGING_FILE_PATH, + 'protocol' : Bcfg2.Options.SERVER_PROTOCOL, }) @@ -49,6 +50,7 @@ if __name__ == '__main__': location=setup['location'], daemon = setup['daemon'], pidfile_name = setup['daemon'], + protocol = setup['protocol'], register=False, cls_kwargs={'repo':setup['repo'], 'plugins':setup['plugins'], -- cgit v1.2.3-1-g7c22