Hello Saggi Mizrahi, Dan Kenigsberg,
I'd like you to do a code review. Please visit
https://gerrit.ovirt.org/43183
to review the following change.
Change subject: ssl: ssl protocol configurable
......................................................................
ssl: ssl protocol configurable
We make ssl protocol configurable in config.py.
Change-Id: Idb4889cb30f23c5e3e9221893cf07a02d051d8b5
Signed-off-by: pkliczewski <piotr.kliczewski(a)gmail.com>
Bug-Url:
https://bugzilla.redhat.com/1154184
Reviewed-on:
http://gerrit.ovirt.org/34345
Reviewed-by: Dan Kenigsberg <danken(a)redhat.com>
Reviewed-by: Saggi Mizrahi <smizrahi(a)redhat.com>
---
M lib/vdsm/config.py.in
M lib/vdsm/sslutils.py
M vdsm/clientIF.py
3 files changed, 7 insertions(+), 2 deletions(-)
git pull ssh://gerrit.ovirt.org:29418/vdsm refs/changes/83/43183/1
diff --git a/lib/vdsm/config.py.in b/lib/vdsm/config.py.in
index 944aaa8..c9e5719 100644
--- a/lib/vdsm/config.py.in
+++ b/lib/vdsm/config.py.in
@@ -228,6 +228,9 @@
('transient_disks_repository', '@VDSMLIBDIR@/transient',
'Local path to the transient disks repository.'),
+
+ ('ssl_protocol', 'sslv23',
+ 'SSL protocol used by encrypted connection'),
]),
# Section: [ksm]
diff --git a/lib/vdsm/sslutils.py b/lib/vdsm/sslutils.py
index 8cbaad0..0ba92d0 100644
--- a/lib/vdsm/sslutils.py
+++ b/lib/vdsm/sslutils.py
@@ -132,7 +132,7 @@
class SSLContext(object):
def __init__(self, cert_file, key_file, ca_cert=None, session_id="SSL",
- protocol="sslv23"):
+ protocol="tlsv1"):
self.cert_file = cert_file
self.key_file = key_file
self.ca_cert = ca_cert
diff --git a/vdsm/clientIF.py b/vdsm/clientIF.py
index 3678f9d..f300ee0 100644
--- a/vdsm/clientIF.py
+++ b/vdsm/clientIF.py
@@ -170,7 +170,9 @@
key_file = os.path.join(truststore_path, 'keys',
'vdsmkey.pem')
cert_file = os.path.join(truststore_path, 'certs',
'vdsmcert.pem')
ca_cert = os.path.join(truststore_path, 'certs',
'cacert.pem')
- sslctx = SSLContext(cert_file, key_file, ca_cert)
+ protocol = config.get('vars', 'ssl_protocol')
+ sslctx = SSLContext(cert_file, key_file, ca_cert=ca_cert,
+ protocol=protocol)
return sslctx
def _prepareXMLRPCBinding(self, port):
--
To view, visit
https://gerrit.ovirt.org/43183
To unsubscribe, visit
https://gerrit.ovirt.org/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: Idb4889cb30f23c5e3e9221893cf07a02d051d8b5
Gerrit-PatchSet: 1
Gerrit-Project: vdsm
Gerrit-Branch: ovirt-3.5
Gerrit-Owner: Piotr Kliczewski <piotr.kliczewski(a)gmail.com>
Gerrit-Reviewer: Dan Kenigsberg <danken(a)redhat.com>
Gerrit-Reviewer: Saggi Mizrahi <smizrahi(a)redhat.com>