Change in vdsm[master]: sslutils: add info to SSLHandshake errors - vdsm-patches - Fedora mailing-lists

29 Apr 2017

From Dan Kenigsberg danken@redhat.com:
Dan Kenigsberg has uploaded a new change for review.
Change subject: sslutils: add info to SSLHandshake errors
......................................................................
sslutils: add info to SSLHandshake errors
Include name of peer and its full certificate if they do not match,
in order to understand which non-legitimate client attempts to connect.
Change-Id: I0cb2d7e0c6c86ca12a34be13b07bc960e3ad313e
Signed-off-by: Dan Kenigsberg danken@redhat.com
---
M lib/vdsm/sslutils.py
1 file changed, 6 insertions(+), 3 deletions(-)
git pull ssh://gerrit.ovirt.org:29418/vdsm refs/changes/21/76221/1

diff --git a/lib/vdsm/sslutils.py b/lib/vdsm/sslutils.py
index 10fc172..8c349ca 100644
--- a/lib/vdsm/sslutils.py
+++ b/lib/vdsm/sslutils.py
@@ -219,9 +219,12 @@
         if self._is_handshaking:
             self._handshake(dispatcher)
         else:
-            if not self._verify_host(dispatcher.socket.getpeercert(),
-                                     dispatcher.socket.getpeername()[0]):
-                self.log.error("peer certificate does not match host name")
+            peercert = dispatcher.socket.getpeercert()
+            peername = dispatcher.socket.getpeername()[0]
+            if not self._verify_host(peercert, peername):
+                self.log.error(
+                    "peer certificate '%s' does not match host name '%s'",
+                    peercert, peername)
                 dispatcher.socket.close()
                 return
-- 
To view, visit https://gerrit.ovirt.org/76221
To unsubscribe, visit https://gerrit.ovirt.org/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I0cb2d7e0c6c86ca12a34be13b07bc960e3ad313e
Gerrit-PatchSet: 1
Gerrit-Project: vdsm
Gerrit-Branch: master
Gerrit-Owner: Dan Kenigsberg danken@redhat.com

    