[Engine-patches] Change in ovirt-hosted-engine-setup[master]: Avoiding legacy health servlet usage

Sun, 27 Apr 2014 01:16:24 -0700 

Alon Bar-Lev has posted comments on this change.

Change subject: Avoiding legacy health servlet usage
......................................................................


Patch Set 2:

hmmm... it suddenly came to me... I was completely mislead by this code....

you should not use the host-deploy ca certificate (internal ca), you should use 
the web ca as you establish trust for the API.

the web ca should be acquired using the following sequence:

 import contextlib
 import socket
 import sys


 from M2Crypto import SSL, X509


 def getChainFromSSL(host):
     '''Return certificate from SSL handlshake

     Parameters:
     host -- (host, port)

     '''
     def check_ignore(*args, **kw):
         return True

     ctx = SSL.Context()
     ctx.set_verify(mode=SSL.verify_none, depth=0)
     with contextlib.closing(SSL.Connection(ctx)) as sock:
         # we would like to ignore any issue with certificates
         sock.set_post_connection_check_callback(check_ignore)
         sock.connect(host)
         # if we do not shutdown some sites hungs on close
         sock.shutdown(socket.SHUT_RDWR)
         return [c.as_pem() for c in sock.get_peer_cert_chain()]

 fingerprint = X509.load_cert_string(
     getChainFromSSL(
         ("www.google.com", 443),
     )[-1],
     X509.FORMAT_PEM,
 ).get_fingerprint(md='sha1')

-- 
To view, visit http://gerrit.ovirt.org/26878
To unsubscribe, visit http://gerrit.ovirt.org/settings

Gerrit-MessageType: comment
Gerrit-Change-Id: I3522ccb82eee4bf7f04ded012d9badc97c55b5a0
Gerrit-PatchSet: 2
Gerrit-Project: ovirt-hosted-engine-setup
Gerrit-Branch: master
Gerrit-Owner: Simone Tiraboschi <[email protected]>
Gerrit-Reviewer: Alon Bar-Lev <[email protected]>
Gerrit-Reviewer: David Caro <[email protected]>
Gerrit-Reviewer: Lev Veyde <[email protected]>
Gerrit-Reviewer: Sandro Bonazzola <[email protected]>
Gerrit-Reviewer: Simone Tiraboschi <[email protected]>
Gerrit-Reviewer: Yedidyah Bar David <[email protected]>
Gerrit-Reviewer: [email protected]
Gerrit-Reviewer: oVirt Jenkins CI Server
Gerrit-HasComments: No
_______________________________________________
Engine-patches mailing list
[email protected]
http://lists.ovirt.org/mailman/listinfo/engine-patches

Reply via email to