Change in vdsm[master]: Implement SSL session cache

Sun, 23 Sep 2012 07:40:22 -0700 

Dan Kenigsberg has posted comments on this change.

Change subject: Implement SSL session cache
......................................................................


Patch Set 2: I would prefer that you didn't submit this

(4 inline comments)

Would you be kind add a unit test for this, and integrate it with our "nose" 
framework?

....................................................
File vdsm/SecureXMLRPCServer.py
Line 34: import httplib
Line 35: import socket
Line 36: import SocketServer
Line 37: 
Line 38: from OpenSSL import SSL
please make this new dependency explicit in vdsm.spec
Line 39: 
Line 40: 
Line 41: class SSLServerSocket(object):
Line 42:     """SSL decorator for server sockets.


Line 41: class SSLServerSocket(object):
Line 42:     """SSL decorator for server sockets.
Line 43: 
Line 44:     This class wraps a normal socket so that when the accept method
Line 45:     is called the client socket as also decorated with SSL 
functionality.
as->is
Line 46:     The rest of the methods are just delegated to the raw socket.
Line 47:     """
Line 48: 
Line 49:     def __init__(self, raw, certfile=None, keyfile=None, 
ca_certs=None):


Line 51:         # calls to it later:
Line 52:         self.raw = raw
Line 53: 
Line 54:         # Create the OpenSSL context:
Line 55:         self.context = SSL.Context(SSL.SSLv3_METHOD)
Don't blame me, but afair this forbids TLSv1.

SSLv23_METHOD means "anything but the broken SSLv1", which is what we want. See 
SSL_CTX_new(3)
Line 56:         self.context.set_session_id("vdsm")
Line 57: 
Line 58:         # Load the crendentials:
Line 59:         if certfile and keyfile:


Line 165:                  logRequests, allow_none, encoding,
Line 166:                  bind_and_activate=False)
Line 167:         self.socket = SSLServerSocket(self.socket,
Line 168:                  keyfile=keyfile, certfile=certfile,
Line 169:                  ca_certs=ca_certs)
are the removed defaults maintained? (I don't recall their importance atm, and 
did not check).
Line 170:         if timeout is not None:
Line 171:             self.socket.settimeout = timeout
Line 172:         if bind_and_activate:
Line 173:             self.server_bind()


--
To view, visit http://gerrit.ovirt.org/8123
To unsubscribe, visit http://gerrit.ovirt.org/settings

Gerrit-MessageType: comment
Gerrit-Change-Id: Ic75adee4070b415b8855af1f2ea289825496fbc1
Gerrit-PatchSet: 2
Gerrit-Project: vdsm
Gerrit-Branch: master
Gerrit-Owner: Juan Hernandez <[email protected]>
Gerrit-Reviewer: Dan Kenigsberg <[email protected]>
Gerrit-Reviewer: Juan Hernandez <[email protected]>
Gerrit-Reviewer: Yaniv Bronhaim <[email protected]>
Gerrit-Reviewer: Yaniv Kaul <[email protected]>
_______________________________________________
vdsm-patches mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/vdsm-patches

Reply via email to