New patch submitted by Federico Simoncelli (fsimonce@redhat.com)
You can review this change at: http://gerrit.usersys.redhat.com/851
commit 449cfc4f89403d2d348fbeed68e76bd7f63397c6 Author: Federico Simoncelli fsimonce@redhat.com Date: Wed Aug 24 12:45:07 2011 +0000
Check certificate purpose in vdsClient
Change-Id: I3ad83ee57df1a3b3a52ea47c529ef3e4af57e2fb
diff --git a/vdsm_cli/vdscli.py.in b/vdsm_cli/vdscli.py.in index 5644a50..dfb97cf 100644 --- a/vdsm_cli/vdscli.py.in +++ b/vdsm_cli/vdscli.py.in @@ -19,9 +19,10 @@ # Refer to the README and COPYING files for full details of the license #
+import os import xmlrpclib import subprocess -import os +import M2Crypto
d_useSSL = False d_tsPath = '@TRUSTSTORE@' @@ -86,9 +87,6 @@ def connect(addrport=None, useSSL=None, tsPath=None): if useSSL is None: useSSL = d_useSSL if tsPath is None: tsPath = d_tsPath if useSSL: - from M2Crypto.m2xmlrpclib import SSL_Transport - from M2Crypto import SSL - if os.name == 'nt': KEYFILE = tsPath + '\keys\rhevm.pem' CERTFILE = tsPath + '\certs\rhevm.cer' @@ -98,14 +96,20 @@ def connect(addrport=None, useSSL=None, tsPath=None): CERTFILE = tsPath + '/certs/vdsmcert.pem' CACERT = tsPath + '/certs/cacert.pem'
- ctx = SSL.Context ('sslv3') + ctx = M2Crypto.SSL.Context ('sslv3') + + crt = M2Crypto.X509.load_cert(CERTFILE) + if not crt.check_purpose(M2Crypto.m2.X509_PURPOSE_SSL_CLIENT, 0): + raise RuntimeError, \ + "Certificate is not suitable to be used as client"
- ctx.set_verify(SSL.verify_peer | SSL.verify_fail_if_no_peer_cert, 16) + ctx.set_verify(M2Crypto.SSL.verify_peer | + M2Crypto.SSL.verify_fail_if_no_peer_cert, 16) ctx.load_verify_locations(CACERT) ctx.load_cert(CERTFILE, KEYFILE, lambda v: "mypass")
server = xmlrpclib.Server('https://%s' % addrport, - SSL_Transport(ctx)) + M2Crypto.m2xmlrpclib.SSL_Transport(ctx)) else: server = xmlrpclib.Server('http://%s' % addrport) return server
Saggi Mizrahi has posted comments on this change.
Change subject: Check certificate purpose in vdsClient ......................................................................
Patch Set 1: I would prefer that you didn't submit this
We would like to remove the dependency on m2crypto is there another way of doing this?
-- To view, visit http://gerrit.usersys.redhat.com/851 To unsubscribe, visit http://gerrit.usersys.redhat.com/settings
Gerrit-MessageType: comment Gerrit-Change-Id: I3ad83ee57df1a3b3a52ea47c529ef3e4af57e2fb Gerrit-PatchSet: 1 Gerrit-Project: vdsm Gerrit-Branch: master Gerrit-Owner: Federico Simoncelli fsimonce@redhat.com Gerrit-Reviewer: Dan Kenigsberg danken@redhat.com Gerrit-Reviewer: Igor Lvovsky ilvovsky@redhat.com Gerrit-Reviewer: Saggi Mizrahi smizrahi@redhat.com
Dan Kenigsberg has posted comments on this change.
Change subject: Check certificate purpose in vdsClient ......................................................................
Patch Set 1:
and I'll appreciate a short explanation why this check is important.
-- To view, visit http://gerrit.usersys.redhat.com/851 To unsubscribe, visit http://gerrit.usersys.redhat.com/settings
Gerrit-MessageType: comment Gerrit-Change-Id: I3ad83ee57df1a3b3a52ea47c529ef3e4af57e2fb Gerrit-PatchSet: 1 Gerrit-Project: vdsm Gerrit-Branch: master Gerrit-Owner: Federico Simoncelli fsimonce@redhat.com Gerrit-Reviewer: Dan Kenigsberg danken@redhat.com Gerrit-Reviewer: Igor Lvovsky ilvovsky@redhat.com Gerrit-Reviewer: Saggi Mizrahi smizrahi@redhat.com
Federico Simoncelli has posted comments on this change.
Change subject: Check certificate purpose in vdsClient ......................................................................
Patch Set 1:
Since there are several libraries that might provide this service could you suggest one that is not deprecated? I looked at OpenSSL and it's not providing this check out of the box so I'd need to implement it somehow. Is this a preferable solution? The motivation for this check (that I will include in the commit message) is that if RHEVM provides a certificate not suitable for the client (as happened a week ago) we catch the problem and provide a more understandable error message.
-- To view, visit http://gerrit.usersys.redhat.com/851 To unsubscribe, visit http://gerrit.usersys.redhat.com/settings
Gerrit-MessageType: comment Gerrit-Change-Id: I3ad83ee57df1a3b3a52ea47c529ef3e4af57e2fb Gerrit-PatchSet: 1 Gerrit-Project: vdsm Gerrit-Branch: master Gerrit-Owner: Federico Simoncelli fsimonce@redhat.com Gerrit-Reviewer: Dan Kenigsberg danken@redhat.com Gerrit-Reviewer: Federico Simoncelli fsimonce@redhat.com Gerrit-Reviewer: Igor Lvovsky ilvovsky@redhat.com Gerrit-Reviewer: Saggi Mizrahi smizrahi@redhat.com
Federico Simoncelli has abandoned this change.
Change subject: Check certificate purpose in vdsClient ......................................................................
Patch Set 1: Abandoned
Nobody ever liked this (me included). Ugly.
-- To view, visit http://gerrit.usersys.redhat.com/851 To unsubscribe, visit http://gerrit.usersys.redhat.com/settings
Gerrit-MessageType: abandon Gerrit-Change-Id: I3ad83ee57df1a3b3a52ea47c529ef3e4af57e2fb Gerrit-PatchSet: 1 Gerrit-Project: vdsm Gerrit-Branch: master Gerrit-Owner: Federico Simoncelli fsimonce@redhat.com Gerrit-Reviewer: Dan Kenigsberg danken@redhat.com Gerrit-Reviewer: Federico Simoncelli fsimonce@redhat.com Gerrit-Reviewer: Igor Lvovsky ilvovsky@redhat.com Gerrit-Reviewer: Saggi Mizrahi smizrahi@redhat.com
vdsm-patches@lists.fedorahosted.org