New patch submitted by Federico Simoncelli (fsimonce(a)redhat.com) You can review this change at: http://gerrit.usersys.redhat.com/851 commit 449cfc4f89403d2d348fbeed68e76bd7f63397c6 Author: Federico Simoncelli <fsimonce(a)redhat.com&gt; Date: Wed Aug 24 12:45:07 2011 +0000 Check certificate purpose in vdsClient Change-Id: I3ad83ee57df1a3b3a52ea47c529ef3e4af57e2fb diff --git a/vdsm_cli/vdscli.py.in b/vdsm_cli/vdscli.py.in index 5644a50..dfb97cf 100644 --- a/vdsm_cli/vdscli.py.in +++ b/vdsm_cli/vdscli.py.in @@ -19,9 +19,10 @@ # Refer to the README and COPYING files for full details of the license # +import os import xmlrpclib import subprocess -import os +import M2Crypto d_useSSL = False d_tsPath = '@TRUSTSTORE@' @@ -86,9 +87,6 @@ def connect(addrport=None, useSSL=None, tsPath=None): if useSSL is None: useSSL = d_useSSL if tsPath is None: tsPath = d_tsPath if useSSL: - from M2Crypto.m2xmlrpclib import SSL_Transport - from M2Crypto import SSL - if os.name == 'nt': KEYFILE = tsPath + '\\keys\\rhevm.pem' CERTFILE = tsPath + '\\certs\\rhevm.cer' @@ -98,14 +96,20 @@ def connect(addrport=None, useSSL=None, tsPath=None): CERTFILE = tsPath + '/certs/vdsmcert.pem' CACERT = tsPath + '/certs/cacert.pem' - ctx = SSL.Context ('sslv3') + ctx = M2Crypto.SSL.Context ('sslv3') + + crt = M2Crypto.X509.load_cert(CERTFILE) + if not crt.check_purpose(M2Crypto.m2.X509_PURPOSE_SSL_CLIENT, 0): + raise RuntimeError, \ + "Certificate is not suitable to be used as client" - ctx.set_verify(SSL.verify_peer | SSL.verify_fail_if_no_peer_cert, 16) + ctx.set_verify(M2Crypto.SSL.verify_peer | + M2Crypto.SSL.verify_fail_if_no_peer_cert, 16) ctx.load_verify_locations(CACERT) ctx.load_cert(CERTFILE, KEYFILE, lambda v: "mypass") server = xmlrpclib.Server('https://%s' % addrport, - SSL_Transport(ctx)) + M2Crypto.m2xmlrpclib.SSL_Transport(ctx)) else: server = xmlrpclib.Server('http://%s' % addrport) return server