Juan Hernandez has posted comments on this change.
Change subject: Implement SSL session cache
......................................................................
Patch Set 2: (5 inline comments)
Yaniv, can you point me to some documentation of that renegotiation
vulnerability and its workaround? I will try to apply the same here.
....................................................
File vdsm/SecureXMLRPCServer.py
Line 34: import httplib
Line 35: import socket
Line 36: import SocketServer
Line 37:
Line 38: from OpenSSL import SSL
Done
Line 39:
Line 40:
Line 41: class SSLServerSocket(object):
Line 42: """SSL decorator for server sockets.
Line 41: class SSLServerSocket(object):
Line 42: """SSL decorator for server sockets.
Line 43:
Line 44: This class wraps a normal socket so that when the accept method
Line 45: is called the client socket as also decorated with SSL
functionality.
Done
Line 46: The rest of the methods are just delegated to the raw socket.
Line 47: """
Line 48:
Line 49: def __init__(self, raw, certfile=None, keyfile=None,
ca_certs=None):
Line 51: # calls to it later:
Line 52: self.raw = raw
Line 53:
Line 54: # Create the OpenSSL context:
Line 55: self.context = SSL.Context(SSL.SSLv3_METHOD)
Done
Line 56: self.context.set_session_id("vdsm")
Line 57:
Line 58: # Load the crendentials:
Line 59: if certfile and keyfile:
Line 70: SSL.VERIFY_CLIENT_ONCE,
Line 71: SSLServerSocket.verify)
Line 72:
Line 73: @staticmethod
Line 74: def verify(connection, certificate, x, y, z):
As we use the VERIFY_FAIL_IF_NO_PEER_CERT option in the set_verify function the
library will check the certificate and abort the handshake automatically. So I
think all we need to do here is report the error in the log. I am adding that
to the next patch set.
Line 75: # No need for additional verifications:
Line 76: return True
Line 77:
Line 78: def __getattr__(self, name):
Line 165: logRequests, allow_none, encoding,
Line 166: bind_and_activate=False)
Line 167: self.socket = SSLServerSocket(self.socket,
Line 168: keyfile=keyfile, certfile=certfile,
Line 169: ca_certs=ca_certs)
The defaults that were here still apply:
1. server_side=True is implemented by the call to
"Connection.set_accept_state()".
2. cert_reqs=ssl.CERT_REQUIRED is implemented by the VERIFY_PEER and
VERIFY_FAIL_IF_NO_PEER_CERT flags to the "Connection.set_verify()" method.
3. do_handshake_on_connect=False corresponds to not calling
"Connection.do_handshake()" right after "Connection.set_accept_state()".
Line 170: if timeout is not None:
Line 171: self.socket.settimeout = timeout
Line 172: if bind_and_activate:
Line 173: self.server_bind()
--
To view, visit http://gerrit.ovirt.org/8123
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: Ic75adee4070b415b8855af1f2ea289825496fbc1
Gerrit-PatchSet: 2
Gerrit-Project: vdsm
Gerrit-Branch: master
Gerrit-Owner: Juan Hernandez <[email protected]>
Gerrit-Reviewer: Dan Kenigsberg <[email protected]>
Gerrit-Reviewer: Juan Hernandez <[email protected]>
Gerrit-Reviewer: Yaniv Bronhaim <[email protected]>
Gerrit-Reviewer: Yaniv Kaul <[email protected]>
_______________________________________________
vdsm-patches mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/vdsm-patches
